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TITLE OF THE INVENTION 

APPARATUS FOR SOLVING SYSTEM OF EQUATIONS ON FINITE FIELD 
AND APPARATUS FOR INVERTING ELEMENT OF EXTENSION FIELD 

This application is based on applications Nos. 11-203055 and 
2000-140886 filed in Japan, the contents of which are hereby 
incorporated by reference. 

BACKGROUND OF THE INVENTION 
Field of the Invention 

The present invention relates to cryptographic and error 
correction techniques for information security, and in particular 
relates to computation techniques which use extension fields and 
systems of equations. 
Description of t he Prior Art 

Secret communication or digital signature techniques have 
increasingly been used in data communication in recent years. 

Secret communication techniques allow communication to be 
performed without the communicated content being revealed to 
third parties. Digital signature techniques, meanwhile, enable 
the recipient to verify whether the communicated content is valid 
or whether the information is from the stated sender. Such 
secret communication or digital signature techniques use a 
cryptosystem called public key cryptography. Public key 



cryptography provides a convenient method for managing the 
separate encryption keys of many users, and so has become a 
fundamental technique for performing communication with a large 
number of users. 

5 In the public key cryptography, different keys are used for 

encryption and decryption, with the decryption key being kept 
secret and the encryption key being made public. Here, one of 
the founding principles for the security of public key 
cryptography is the so-called discrete logarithm problem. 

10: Representative examples of the discrete logarithm problem are 

problems based on finite fields and problems based on elliptic 
curves. Such problems are described in detail in Neal Koblitz 
(1987), A Course in Number Theory and Cryptography, Springer- 
Verlag. 

15. (Elliptic Curve Discrete Logarithm Problem) 

; The elliptic curve discrete logarithm problem is the 

following. 

Let E be an elliptic curve defined over a finite field GF(q) 
{q=p n , p a prime, n a positive integer) , with a point G on the 
20 elliptic curve E, given when the order of E is divisible by a 

large prime, being set as a base point. This being so, the 
problem is to find an integer x such that 
Y=x*G 

where Y is a given point on E, if such an integer x 
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exists . 

In this specification, the operator * represents elliptic 
curve exponentiation, so that x*G means G is added to itself x 
times on E. Also, GF (q) is an extension field of a finite field 
GF(p). For details about extension fields, see T. Okamoto & H. 
Yamamoto (1997), Modern Encryption, Mathematics of Information 
Sciences Series, Sangyo Tosho, pp. 26-28. 

(Prior Art 1: ElGamal Signature Scheme Which Uses the Elliptic 
Curve Discrete Logarithm Problem) 

The ElGamal signature scheme using the elliptic curve 
discrete logarithm problem is described below with reference to 
Fig. 9. 

In the figure, a device 310 used by a user A (hereafter, 
"user A 310"), a management center 320, and a device 330 used by 
a user B (hereafter, "user B 330") are connected via a network. 

Let p be a prime, q=p" r n be a positive integer, and E be an 
elliptic curve over a finite field GF (q) , with G being a base 
point of E and r being the order of G. Which is to say, r is the 
smallest positive integer that satisfies 
r*G=0 

where 0 is the zero element in the additive group on the 
elliptic curve E. 

(1) Public Key Generation by the Management Center 320 

First, the management center 320 generates a public key Y A of 



the user A 310 using the user A's secret key x A which has been 
informed beforehand, according to the equation 

(SI, S2) . 

The management center 320 announces the finite field GF (q) , 
the elliptic curve E, and the base point G as system parameters, 
and reveals the public key Y A of the user A 310 to the user B 330 
(S3, S4) - 

(2) Signature Generation by the User A 310 

The user A 310 generates a random number k (S5) , calculates 

R 1 =(r x ,r y )=k*G 
(S6), and finds s satisfying 
s*k=m+r x xx A mod r 
(SI) where m is a message to be sent from the user A 310 to 
the user B 330. 

The user A 310 sends the message m and the signature (R lf s) 
to the user B 330 (S8) . 

(3) Signature Verification by the User B 330 

The user B 330 verifies the authenticity of the user A 310 
by judging whether 

s*R 1 =m*G+r x *Y A 
is true (S9) . 

This equation is derived from 

s *R 1 =[ ( (m+r x xx A ) /k) *k] *G 
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= (m+r x *x A ) *G 
=m *G+ (r x *x A ) *G 
=m*G+r x *Y A 

In this ElGamal digital signature scheme using the elliptic 
curve discrete logarithm problem, elliptic curve exponentiation 
is repeatedly performed to generate the public key and the 
signature and to verify the signature. 

For details on elliptic curve exponentiation, see "Efficient 
Elliptic Curve Exponentiation" in Miyaji, Ono & Cohen (1997), 
Advances in Cryptology-Proceedings of ICICS'97, Lecture Notes in 
Computer Science, Springer-Verlag, pp. 282-290 (hereafter 
"document 1") . 

Let an elliptic curve be defined by an equation of the 

form 

y 2 =x 3 +a *x+b 

with some point P on the elliptic curve being represented by 
2 -tuple coordinates (x 1 ,y 1 ) called affine coordinates. 

Elliptic curve exponentiation in the 2-tuple coordinate is 
known to involve inverse operations on the finite field GF(q) . 

Document 1 makes brief mention of a 3-tuple coordinate called 
projective coordinate. 2-tuple coordinates can be transformed 
into corresponding 3-tuple coordinates as shown by 

(X 1 rY 1 )~(X 1 'Yl'l) 

Elliptic curve exponentiation in the 3-tuple coordinate 



involves no inverse operations on the finite field GF(q). Since 
inverting a finite field element generally takes considerable 
computation time, the 3-tuple coordinate is often used in 
elliptic curve exponentiation. 

However, when transforming 3-tuple coordinates into 
corresponding 2-tuple coordinates as shown by 
(X, Y,Z)-(X/Z r Y/Z) 

inversion on the finite field GF (q) is necessary. 

In step S6 in Fig. 9, for instance, after 2-tuple coordinates 
are transformed into 3-tuple coordinates, elliptic curve 
exponentiation is performed on the 3-tuple coordinates, and the 
resulting 3-tuple coordinates are transformed into corresponding 
2-tuple coordinates. Inversion is needed in this transformation 
of the 3-tuple coordinates to the 2-tuple coordinates. 
(Prior Art 2: Inversion in an Extension Field) 

A conventional inverse operation on an extension field GF(q) 
{q=p n , p a prime, n a positive integer) is performed in the 
following way. 

For simplicity's sake, a generator polynomial of the 
extension field GF(q) is set as f(g)=g n -/3 whose root is a, and an 
element of GF(q) to be inputted in the generator polynomial is 
set as 

x=x 0 +x 1 xa+ ' - • +x n _ 1 xa"' 1 

(1) Step 1 



Based on the element x of GF (q) , a system of equations for 
Yi (i=0,l, ... ,n-l) 

x 0 y 0 +Px n _ lYl +l3x n _ 2 y 2 +- • • +/3x lYn _ 1 =l 

x 1 y 0 +x o y 1 +0x n . 1 y 2 + ■ ■ ■ +Px 2 y n _ 1 =o 

5 x 2 y g +x lYl + x 0 y 2 + ■ • • +J3x 3 y n , 1 =0 



Xn- 2 Y 0 +Xn-3?1 +Xn-4Y2 + ' ' ' +^ n -lY n -l = 0 
Xn-lYo +* n - 2 Yl +*n-3Y2 + ' ' ' + X oY B -l =0 

is formed. 

(2) Step 2 

The solutions y k (k=0 ,1 , . . . ,n-l) of the system of equations 
are sought. 

(3) Step 3 

From the solutions y k (k=0 ,1, . . . ,n-l) , the inverse 
I=Yo+Yia+ ■ • ' +Y n -i<x~ 1 

is calculated. Hence the inverse of the element x in the 
extension field GF(q) is obtained. 

The validity of this inverse operation is shown below. 

I f the inverse I and the element x satisfy the 
relationship 

xl=l mod f(g) 

then 

xl=x 0 (yo+y^ ' ' ' +Y n - 1 a~ 1 ) 
+x 1 a(y 0 +y 1 a+- ■ •+y n . 1 cP~ 1 ) 
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+x 2 a (y 0 +y 1 a+ • • • +y a . l oP' 1 ) 



+x n _ 1 a~ 1 (y 0 +y 1 a+-- ■+y n . 1 a' 1 ) 

and also 

a n =/3 mod f (g) 
Accordingly, 

xl=x 0 (y 0 +y 1 a+ ■ • -+y n . 1 Q p ' 1 ) 

+x 1 (y 0 oc+y 1 a 2 + • - • +y n . 1 P) 

+x 2 (y 0 a 2 +y 1 a 3 + • • • +y n . 1 or/3) 

+ x n-i (yo^' 1+ y^ + ' " + y n -i an ' 2 fi> 

which can be rearranged in ascending order of power of a 

into 

xI=x 0 y 0 +p*x a _ 1 *Y 1 +- •+&x 1 y n _ 1 
+a(x 1 y 0 +x 0 xy 1 +- ■+/3x 2 y n _ 1 ) 
+a (x 2 y 0 +x 1 y 1 + • • • +J3x 3 y a _ 1 ) 

+a~ 1 (x n - 1 y 0 +x n - 2 Yi + - ' - + XoYn-i> 

From this equation and the relationship xl=2, the system of 
equations in step 1 is derived. 

Therefore, calculating an inverse in the extension field 
GF(q) is equivalent to solving a system of equations on the basic 
field GF(p) . 

Though the foregoing example uses the generator polynomial 



of the form g n -j3 for simplicity's sake, a system of equations can 
be formed by the same procedure for a generator polynomial of 
ordinary form. 

(Prior Art 3: Solution of a System of Equations on the basic 
field GF(p)) 

A conventional method for solving a system of equations on 
the basic field GF(p) is described below. This method is called 
Gaussian elimination. For details on Gaussian elimination, see 
K. Mizugami (1985), Mathematical Calculations by Computers, 
Introduction to Programming Series, Asakura Shoten, pp. 7 6-82 
(hereafter "document 2") . 

A system of equations for x k (k=0 ,1 ,2 , . . . ,n-l) 

a 21 X 0 +£L 22 X l + ' ' •+ a 2n X n-l =b 2 
a nl X 0 +a n2 K l + ' ' ' +a nn X n-l = b n 

is solved by Gaussian elimination in the following manner. 
(Step 1) 

A matrix M and a vector v are given respectively as 

( a il a i2 - O 
a 21 a 22 "' 3 2n 
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Meanwhile, a vector X is given as 




Then the above system of equations can be simply written as 
MX=v 

The matrix M and the vector v are triangular transformed so 
as to put the matrix M into upper triangular form, as a result of 
which a matrix M' and a vector v' are generated. Here, the 
triangular transformation is such a transformation that changes 
all elements beneath the diagonal elements of a matrix to 0, and 
such a transformed matrix is called an upper triangular matrix. 

The procedure of this conventional triangular transformation 
is explained below with reference to Fig. 10. 

First, counter j is set at 1 (S21) . Next, the inverse Ij of 
a 3J is computed (S22) , 1 is assigned to a^ (S23) , and a jk =a jk xl j and 
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Jb =bjXij are set for j+l^k^n (S24) . Then counter i is set at j+1 
(S25) . 

Following this, 0 is assigned to a ±j (S26) , a^a^-a^a^ is 
set for j+l<k*n (S27) , and also jb^i^-a^ ^ is set (S28) . Then it 
is judged whether i=n (S29) . If counter i is incremented by 

2 (S31) and the procedure returns to step S26. If i=n, it is 
judged whether j=n (S30) . If j*n, counter j is incremented by 1 
and the procedure returns to step S22. If j=n, the procedure 
ends. 

As a result, the matrix M' and the vector v' are obtained. 
The matrix M' is a matrix whose diagonal elements are all 1 and 
whose elements beneath the diagonal elements are all 0. 

The system of equations M'X=v' and the system of equations 
MX=v have an equivalence relation. 

Let the matrix M' and the vector v' be written respectively 



^11 ^12 
C 21 °22 



(Step 2) 



The system of equations M'X=v' is solved using the generated 
matrix M' and vector v', in the following way. 

The values n-1, ... , 2, 0 are set one by one in counter c 
in this order. For counter c, 



is calculated when c^n-1. 
(Concrete Example) 

A concrete example of applying the prior art 3 is presented 
below. 

Note that this example is provided here only for facilitating 
the understanding of the triangular transformation, and is not an 
example of practical use in cryptographic communication or 
digital signature systems. 

When a prime p=31, a generator polynomial f (g) =g 5 -2, and an 
element x=5a+ 29a 3 + 6a 2 +l 9a+l 7 of GF (q) are given, the 
calculations 



is calculated when c=n-l, and 




x*a=5a 5 +29a 4 +6a+19a+l la 



=29a 4 +6a 3 +19a 2 +l la+5*2 



xxa 2 =29a 5 +6a 4 +19a 3 +l la 2 +10a 
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=6d+19a 3 +17a 2 +10a+29*2 
xx a 3 =6a+19a+17a+10a 2 +27a 
=19a+17a 3 +10a+27a+6x2 
xxa=19a+17a+10a+27a+12a 
=1 7a +1 0a 3 +2 7a+12a+l 9 *2 
lead to a system of equations shown in Fig. 11(a), where a 
coefficient matrix 301 consists of 5 rows and 5 columns and a 
constant vector 302 consists of 5 elements. 

In the system of equations in Fig. 11(a), a linear 
equation 

1 7x 0 +l 0x 2 +2 7x 2 +12x 3 + 7x 4 =l 
is called a pivotal equation that serves as the pivot of 
transformation, and the other linear equations are called object 
equations that are to be transformed. 
First, the inverse operation 

1/17 mod 31 =11 
is performed, and then 

10x11 mod 31 =17 
27x12 mod 31 =18 
12x11 mod 31 =8 
7x11 mod 31 =15 
Ixii mod 31 =11 
are calculated. As a result, the system of equations is 
transformed as shown in Fig. 11(b), where the element in the 
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first column and row has become 1 in a coefficient matrix 311. 
The elements enclosed with the boxes in the coefficient matrix 
311 and constant vector 312 in Fig. 11(b) are those which have 
changed from the coefficient matrix 301 and constant vector 302 
in Fig. 11(a). The same goes for the rest of Fig. 11. 

Here, the above inverse operation 1/17 mod 31 =11 is carried 
out by first seeking a which satisfies 
a*17+bx31=l 

by means of the extended GCD (Greatest Common Divisor) , and 
then setting a as the inversion result. 

In general, the extended GCD takes considerable computational 
complexity, as it involves repeated multiplications and 
additions. For details on the extended GCD, see H. Cohen (1996) 
"A Course in Computational Algebraic Number Theory" in Graduate 
Texts in Mathematics 138, Springer-Verlag, pp. 16-19. 

Next, 

17-17x19=4 mod 31 

10-18x19=9 mod 31 

27-8x19=30 mod 31 

12-15x19=6 mod 31 

0-11x19=8 mod 31 
are calculated to convert the element in the first column and 
second row in the coefficient matrix 311 to 0, and in a like 
manner the elements in the first column and third to fifth rows 
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in the coefficient matrix 311 are converted to 0, thereby 
transforming the coefficient matrix 311 in Fig. 11(b) into a 
coefficient matrix 321 shown in Fig. 11(c). The constant vector 
312 is also transformed into a constant vector 322, as a result 
of which a system of equations shown in Fig. 11(c) is obtained. 

Next, the coefficient matrix 321 is transformed into a 
coefficient matrix 331 so that the element in the second column 
and row becomes 1, and the constant vector 322 is transformed 
into a constant vector 332. Hence a system of equations shown in 
Fig. 11(d) is obtained. Further, the coefficient matrix 331 is 
transformed into a coefficient matrix 341 so that the elements in 
the second column and third to fifth rows become 0, and the 
constant vector 332 is transformed into a constant vector 342. 
Hence a system of equations shown in Fig. 11(e) is obtained. 

Likewise, the element in the third column and row is 
converted to 1 in a coefficient matrix 351 in Fig. 11(f), and the 
elements in the third column and fourth to fifth rows are 
converted to 0 in a coefficient matrix 361 in Fig. 11(g). After 
this, the element in the fourth column and row is converted to 1 
in a coefficient matrix 371 in Fig. 11(h), and the element in the 
fourth column and fifth row is converted to 0 in a coefficient 
matrix 381 in Fig. 11 (i) . Lastly, the element in the fifth 
column and row is converted to 1 in a coefficient matrix 391 in 
Fig. 11 (j) . 
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Thus, the coefficient matrix 301 is transformed into the 
upper triangular matrix 391. 
Following this, 
Y 4 =29 

y =15-21*29 

=26 mod 31 
y =11-^x26-28*29 

=25 mod 31 
yi =2-10*25-23x26-l 7x29 

=25 mod 31 
y =11-11*25-18*25-8x26-15*29 

=12 mod 31 

are computed. 
(Computational Complexity) 

The total computational complexity of the prior art 3 is 
evaluated below. Here, computational complexity of one 
multiplication on a basic field is measured as IMul and 
computational complexity of one inversion on the basic field is 
measured as llnv. 

In step 1 in the prior art 3, computational complexity for 
one value of counter j can be broken down as follows. 

(a) Step S22 involves one inversion, so that computational 
complexity is llnv. 

(b) Step S24 involves ( (n- ( j + 1 ) + 1 ) + 1 ) = (n-j + 1) 
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multiplications, so that computational complexity is (n- 
j+l)Mul. 

(c) For one value of counter i, step S27 involves (n- (j+1) +1) 
multiplications and so computational complexity is (n-j)Mul (cl) , 
and step S28 involves one multiplication and so computational 
complexity is lMul (c2) . Since counter i changes from j+1 to n, 
(cl) and (c2) are repeated (n- (j+1) +1) = (n-j ) times, which makes 
the computational complexity of for all values of counter c at 
((n-j) (n-j+l))Mul. 

Summing (a) , (b) , and (c) together results in computational 
complexity of ( (n-j+1) (n-j+1) ) Mul+llnv. 

Since counter j changes from 2 to n, the total computational 
complexity of step 1 is 



On the other hand, computational complexity of step 2 in the 
prior art 3 is as follows. 

For one value of counter c, (n- (c+1) +1) = (n-c) multiplications 
are necessary, so that computational complexity is (n-c)Mul. 



J7 (((n-j+1) (n-j+1)) Mul +1 Inv) 




= (l/6*n (n+1) (2n+l) )Mul+nInv 
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Since counter c changes from 1 to n, the total computational 
complexity of step 2 is 

c=l 

=£(c-l)Mul 

c=l 

= (£c-£l)Mul 

c=l c=l 

= (l/2*n (n+1) -n)Mul 
= (l/2xn (n-D)Mul 

Therefore, the overall computational complexity of the prior 
art 3 is 

(l/6*n (n+1) (2n+l) +l/2*n (n-1) )Mul+nInv 
=l/3xn* (n 2 +3n-l)Mul+nInv 

It is known that in a general-purpose computer Hnv=40Mul 
when n=5 and \q\=160 {\q\ is the bit size of q) . Accordingly, the 
overall computational complexity of the prior art 3 is 265Mul. 

As described above, an inverse of an element in an extension 
field can be computed by solving a system of equations on a 
finite field. Nevertheless, given that computational complexity 
of inversion needed in solving the system of equations is 
generally large, there still remains the demand to further reduce 
computational complexity of solving a system of equations on a 
finite field, and to thereby reduce computational complexity of 
inverting an extension field element. 
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SUMMARY OF THE INVENTION 

In view of the stated demand, the present invention aims to 
provide an apparatus, method, and storage medium storing a 
program for solving a system of equations on a finite field with 
reduced computational complexity, an apparatus, method, and 
storage medium storing a program for inverting an element in an 
extension field with reduced computational complexity, and a 
communication system and a record medium reproducing apparatus 
that utilize these apparatuses and methods. 

The above object can be achieved by an apparatus for use in 
encryption or decryption, for solving a system of linear 
equations Ax=b in n unknowns on a finite field GF(p), where p is 
a prime, n is a positive integer, A is a coefficient matrix 
consisting of elements of n rows and n columns, x is a vector of 
unknowns consisting of n elements, and i) is a constant vector 
consisting of n elements, the apparatus including: a parameter 
storing unit for storing the coefficient matrix A and the 
constant vector b; a triangular transforming unit for reading the 
coefficient matrix A and the constant vector b from the parameter 
storing unit, and transforming the read coefficient matrix A and 
constant vector b to generate a coefficient matrix C and a 
constant vector d for a system of linear equations Cx=d in n 
unknowns that is equivalent to the system of linear equations 
Ax=b, the coefficient matrix C consisting of elements of n rows 
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and n columns and the constant vector d consisting of n elements, 
wherein the coefficient matrix A is triangular transformed into 
the coefficient matrix C of upper triangular form without 
diagonal elements of the coefficient matrix A being changed to 2; 
a diagonal element inverting unit for calculating inverses of 
diagonal elements of the generated coefficient matrix C on the 
finite field GF(p); and an equation computing unit for solving 
the system of linear equations Cx=d using the coefficient matrix 
C, the constant vector d, and the inverses of the diagonal 
elements of the coefficient matrix C, to thereby solve the system 
of linear equations Ax=b. 

With this construction, the system of linear equations can 
be solved with reduced computational complexity. 

Here, the triangular transforming unit may perform one or 
more successive transformation processes to generate the 
coefficient matrix C and the constant vector d of the system of 
linear equations Cx=d from the coefficient matrix A and the 
constant vector b of the system of linear equations Ax=b, wherein 
in each transformation process the triangular transforming unit 
transforms a coefficient matrix and a constant vector of a system 
of linear equations in n unknowns, into a coefficient matrix and 
a constant vector of a system of linear equations in n unknowns 
that is equivalent to the system of linear equations before the 
transformation, where the system of linear equations Ax=b is 
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subjected to the first transformation process and the system of 
linear equations Cx=d is generated as a result of the last 
transformation process, wherein in each transformation process 
the system of linear equations in n unknowns that is subjected to 
the transformation includes one pivotal equation which is a 
linear equation serving as a pivot for the transformation and one 
or more object equations which are linear equations to be 
transformed, and the triangular transforming unit transforms each 
of the object equations into an equation equivalent to the object 
equation by defining a first coefficient group containing at 
least one value related to the pivotal equation and a second 
coefficient group containing n+1 values related to the pivotal 
equation, changing a nonzero coefficient in the object equation 
to 0, multiplying each of a constant and n coefficients in the 
object equation by the value in the first coefficient group, and 
subtracting the n+1 values in the second coefficient group 
respectively from the n+1 multiplication results. 

With this construction, the triangular transformation is 
carried out without the diagonal elements of the coefficient 
matrix of the system of linear equations being converted to 2. 

Here, each transformation process may have transformation 
subprocesses each for transforming a separate one of the object 
equations, wherein in each transformation subprocess the 
triangular transforming unit (a) chooses a nonzero coefficient 
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from the pivotal equation and sets the chosen nonzero coefficient 
into the first coefficient group, (b) chooses a nonzero 
coefficient from the object equation, multiplies each of a 
constant and n coefficients in the pivotal equation by the 
nonzero coefficient chosen from the object equation, and sets n+1 
values obtained by the multiplications into the second 
coefficient group, (c) changes the chosen nonzero coefficient in 
the object equation to 0, and (d) multiplies each of a constant 
and n coefficients in the object equation by the nonzero 
coefficient in the first coefficient group, and subtracts the n+1 
values in the second coefficient group respectively from the n+1 
multiplication results. 

Here, each transformation process may have a coefficient 
group calculation process and transformation subprocesses , 
performed following the coefficient group calculation process, 
each for transforming a separate one of the object equations, 
wherein in the coefficient group calculation process the 
triangular transforming unit (a) chooses m nonzero coefficients 
by taking one nonzero coefficient from each of the pivotal 
equation and the object equations, multiplies each combination of 
of the chosen nonzero coefficients, and sets the m 
multiplication results into the first coefficient group, m being 
a positive integer no smaller than 2, and (b) multiplies each of 
a constant and n coefficients in the pivotal equation by a 
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multiplication result in the first coefficient group for a 
combination of nonzero coefficients that does not include a 
nonzero coefficient chosen from the pivotal equation, and sets 
n+1 values obtained by the multiplications into the second 
coefficient group, and wherein in each of the transformation 
subprocesses following the coefficient group calculation process, 
the triangular transforming unit (a) changes a nonzero 
coefficient chosen from the object equation in the coefficient 
group calculation process, to 0 in the object equation, and (b) 
multiplies each of a constant and n coefficients in the object 
equation by a multiplication result in the first coefficient 
group for a combination of nonzero coefficients that does not 
include the nonzero coefficient chosen from the object equation, 
and subtracts the n+1 values in the second coefficient group 
respectively from the n+1 multiplication results. 

With these constructions, the equivalent system of linear 
equations can be obtained through the triangular 
transformation . 

Here, when the diagonal elements of the coefficient matrix 
C are denoted by m 1 (i=l,2 , . . . ,n) and the inverses of the 
diagonal elements m i (1=1,2, ... ,n) in the finite field GF(p) are 
denoted by I i (i=l ,2 , . . . ,n) , the diagonal element inverting unit 
may include (a) a multiplying unit for computing 
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t.=JJm k (except m ± ) mod p (i=l,2, . . . 

and 

t =JY m k moc * P 

(b) a first inverting unit for computing 
u=l/t mod p 

and (c) a second inverting unit for computing 
I. =u*t L mod p (i=l,2, . . . ,n) 

to find the inverses I i (i=l ,2 , . . . ,n) . 

Here, the multiplying unit may calculate 
s 1 =m 1 xm 2 mod p 
s 2 =s 1 xm 3 mod p 

S n-3 =S n-4 Xm n-2 mOCi P 

in the stated order, then calculate 

t n =S n-3 XItt n-l m ° d P 

t n _ 1 =s n _ 3 xm n mod p 
s n =m n _ 1 xm n mod p 

t n -2 =S n-4* S n m0< ^ P 
S n-I =m n-2 XS n m °°^ P 
^n-3 ==S n-5 XS ri-l mC "^ P 
S n-2= m n-3 XS n-l m ° d P 
t n-4 =S n-6 XS n-2 m ° d P 
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s 5 =m 4 *s 6 mod p 
t 3 =s 1 xs 5 mod p 
s 4 =m 3 *s 5 mod p 
t 2 =m 1 xs 4 mod p 
t 1 =m 2 xs 4 mod p 
in the stated order, and lastly calculate 

for a value j chosen from a set of positive integers 
{1,2,. ..,n}. 

With these constructions, the number of inverse operations 
needed to compute the inverses of the diagonal elements can be 
reduced. 

As a result, overall computational complexity of the 
apparatus for solving a system of equations on a finite field is 
reduced. Such an apparatus bears high practical value, as it 
enables high-speed cryptographic or digital signature 
processing. 

The above object can also be achieved by an apparatus for use 
in encryption or decryption, for computing an inverse I of an 
element y in GF (q) which is an extension field of a finite field 
GF(p), where p is a prime, q=p n , and n is a positive integer, the 
apparatus including: an equation generating unit for generating 
a coefficient matrix A and a constant vector b for a system of 
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linear equations Ax=b in n unknowns, using the element y and all 
coefficients of a generator polynomial of GF(q) whose root is a; 
an equation solving unit for finding solutions of the system of 
linear equations Ax=b, the equation solving unit including the 
above apparatus for solving the system of linear equations Ax=b; 
and an inverse computing unit for computing the inverse I using 
the root a and the solutions found by the equation solving 
unit . 

With this construction, the inverse of the extension field 
element can be computed with reduced computational complexity. 

The above object can also be achieved by a record medium 
reproducing apparatus for computing, when copyrighted digital 
content has been encrypted using a discrete logarithm problem on 
an elliptic curve E over GF(q) as a basis for security and 
recorded on a record medium, an inverse I of an element y in 
GF (q) to decrypt the encrypted digital content recorded on the 
record medium, where GF (q) is an extension field of a finite 
field GF(p), p is a prime, q=p n , n is a positive integer, and G 
is a base point of the elliptic curve E, the record medium 
reproducing apparatus including: an equation generating unit for 
generating a coefficient matrix A and a constant vector b for a 
system of linear equations Ax=b in n unknowns, using the element 
y and all coefficients of a generator polynomial of GF (q) whose 
root is cr, an equation solving unit for finding solutions of the 



system of linear equations Ax=b, the equation solving unit 
including the above apparatus for solving the system of linear 
equations Ax=b; and an inverse computing unit for computing the 
inverse I using the root a and the solutions found by the 
equation solving unit. 

With this construction, the record medium reproducing 
apparatus can compute the inverse of the extension field element 
with reduced computational complexity. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other objects, advantages and features of the 
invention will become apparent from the following description 
thereof aken in conjunction with the accompanying drawings that 
illustrate a specific embodiment of the invention. In the 
drawings : 

Fig. 1 is a block diagram showing the construction of an 
inversion apparatus 100 according to an embodiment of the 
invention; 

Fig. 2 is a flowchart showing the general operation of the 
inversion apparatus IOC- 
Fig. 3 is a flowchart showing the operation of triangular 
transforming a coefficient matrix of a system of equations by an 
equation transforming unit 102 in the inversion apparatus 100; 
Fig. 4 is a flowchart showing the operation of inverting 
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diagonal elements of the coefficient matrix in the inversion 
apparatus 100; 

Fig. 5 is a flowchart showing the operation of solving the 
system of equations in the inversion apparatus 100; 

Fig. 6 shows an example of the triangular transformation by 
the equation transforming unit 102; 

Fig. 7 is a flowchart showing the operation of triangular 
transforming a coefficient matrix by an equation transforming 
unit 102a as a variant of the invention; 

Fig. 8 shows an example of the triangular transformation by 
the equation transforming unit 102a; 

Fig. 9 is a sequential view showing the procedure of the 
conventional ElGamal digital signature scheme; 

Fig. 10 is a flowchart showing the conventional triangular 
transformation of a coefficient matrix; and 

Fig. 11 shows an example of the conventional triangular 
transformation. 

DESCRIPTION OF THE PREFERRED EMBODIMENT ( S ) 
1 . Embodiment 

The following is a description of an inversion apparatus 100 
according to an embodiment of the present invention. 
1.1. Construction of the Inversion Apparatus 100 

The inversion apparatus 100 computes the inverse I of an 
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element x on GF(q) {q=p n , p a prime, n a positive integer) which 
is an extension field of a predetermined finite field GF(p) . In 
this embodiment, a generator polynomial of the extension field 
GF(q) is g n -0 whose root is a, and the element x is such that 
x=x 0 +x 1 a+- ■ ■+x n _ 1 d 1 ' 1 , where a is an element of GF (q) and j3, x 0 , x x , 
... , x n _ x are elements of GF (p) . 

As shown in Fig. 1, the inversion apparatus 100 is roughly 
made up of a parameter storing unit 200, an equation generating 
unit 201, an equation solving unit 202, an inverse computing unit 
203, and an inverse storing unit 204. 

Specifically, the inversion apparatus 100 is implemented by 
a computer system equipped with a microprocessor, a ROM, a RAM, 
a hard disk, and the like. Through execution of a computer 
program stored in the hard disk by the microprocessor, the 
equation generating unit 201, the equation solving unit 202, and 
the inverse computing unit 203 are realized. 

(1) Parameter Storing Unit 200 

The parameter storing unit 200 is implemented by the hard 
disk. The parameter J3 of the generator polynomial, the root a, 
and the elements x Q , x lf ... , x n _ 2 are stored in the parameter 
storing unit 200 beforehand. 

(2) Equation Generating Unit 201 

The equation generating unit 201 reads ($, a, x 0 , x lf ... , x n _ 2 
from the parameter storing unit 200, and generates parameters of 
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the following system of equations of y i (i=0, l,2 r . . . r n-l) 
x 0 y 0 +Px n _ 1 y 1 +$x n _ 2 y 2 +- ' '+0^ 1 y n -i =1 

*iYo +x 0 Yi +P K n-iY 2 + ' ' ' +£ x 2 yn-r° 

x 2 Yo + x iYi + x oY 2 + ' • ' +P x 3 Y n -i= 0 

X n-lY 0 +X n- 2 Yl +X n- 3 Y 2 + ' ' * + X oYn-l = 0 

using the read values. 

This system of equations can be written simply as 
AY=B 

where A is a matrix and Y and B are vectors such that 



X 0 P X n-l P K n-2 


■ J3x^ 


X l X 0 P X n-l 


" $ X 2 


x 2 x 1 X Q 


■ PK 3 
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The parameters of the system of equations generated by the 
equation generating unit 201 are the matrix A and the vector B. 
The equation generating unit 201 outputs the generated matrix A 
and vector B to the equation solving unit 202. 

The equation generating unit 201 also outputs a read from the 
parameter storing unit 200, to the inverse computing unit 203. 
(3) Equation Solving Unit 202 

The equation solving unit 202, when given parameters a ±j 
(i,j=l,2, . . . ,n) and b k (k=l ,2 , . . . ,n) of the following system of 
linear equations in n unknowns for x i (i=l ,2 , . . . ,n) on a 
predetermined finite field GF (p) (p a prime), solves the system 
of linear equations in n unknowns on GF(p). 

a il K l +a i2 X 2 + ' ' ' +a in X n =::b l 

a 21 x 1 +a 22 x 2 +- ■ -+a 2n K=b 2 

a nl X l +a n2 X 2 + ' * ' + a nn K n =b n 

The equation solving unit 202 includes a constant storing 
unit 101, an equation transforming unit 102, an inverting unit 
103, and an equation computing unit 104, as shown in Fig. 1. 



31 



(Constant Storing Unit 101) 

The constant storing unit 101 is implemented by the RAM. The 
constant storing unit 101 receives a matrix M and a vector v from 
the equation generating unit 201 and stores them. Here, the 
matrix M and the vector v are respectively 



a ll "12 
a 21 a 22 



For example, the matrix M is the matrix A and the vector v 
is the vector B. 

(Equation Transforming Unit 102) 

The equation transforming unit 102 reads the matrix M and the 
vector v from the constant storing unit 101 and triangular 
transforms the read matrix M and vector v, to generate a matrix 
M' (a coefficient matrix consisting of n rows and n columns) and 
a vector v' (a constant vector consisting of n elements) for a 
system of linear equations M'x=v' in n unknowns that is 
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equivalent to a system of linear equations Mx=v in n unknowns. 

In the triangular transformation, the equation transforming 
unit 102 transforms the matrix M into an upper triangular matrix 
without changing each diagonal element of the matrix M to 2. 

Such generated matrix M' and vector v' are 



^11 ^12 
C 21 C 22 



\ 



d 2 




This triangular transformation is carried out in the 
following way. 

In the triangular transformation, one or more successive 
transformation processes are performed to generate the matrix M' 
and vector v' of the system of linear equations M'x=v' from the 
system of linear equations Mx=v. 

In each transformation process, the equation transforming 
unit 102 generates, from a system of linear equations in n 
unknowns, a coefficient matrix and a constant vector for a system 
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of linear equations in n unknowns that is equivalent to the 
system of linear equations before the transformation. In this 
embodiment, a system of linear equations in n unknowns that is 
subjected to the initial transformation process is the system of 
linear equations Mx=v, whereas a system of linear equations in n 
unknowns that is obtained as a result of the last transformation 
process is the system of linear equations M'x=v'. 

In each transformation process, a system of linear equations 
in n unknowns before the transformation includes one linear 
equation as a pivotal equation serving as the transformation 
pivot and one or more linear equations as object equations to be 
transformed. 

Each transformation process has transformation subprocesses 
as many as the object equations in the system of linear 
equations, each for transforming a separate one of the object 
equations to an equation equivalent to the object equation. 
Before transforming the object equation to the equivalent 
equation, a first coefficient group and a second coefficient 
group are defined in each transformation subprocess. 

The first and second coefficient groups are each a group that 
contains at least one value related to the pivotal equation. To 
be more specific, the equation transforming unit 102 sets one 
nonzero coefficient of the pivotal equation into the first 
coefficient group. Also, the equation transforming unit 102 
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multiplies each of a constant and n coefficients of the pivotal 
equation by one nonzero coefficient of the object equation, and 
sets n+1 values obtained as a result into the second coefficient 
group . 

Following this, the equation transforming unit 102 changes 
the nonzero coefficient of the object equation to 0. The 
equation transforming unit 102 then multiplies each of a constant 
and n coefficients of the object equation by the value in the 
first coefficient group, and subtracts the n+1 values in the 
second coefficient group respectively from the n+1 multiplication 
results. In so doing, the object equation is transformed into 
the equivalent equation where one of its nonzero coefficients has 
become 0. 

This triangular transformation will be explained in greater 
detail later. 

The equation transforming unit 102 outputs the generated 
matrix M' and vector v' to the equation computing unit 104, and 
outputs the diagonal elements c i± (i=l ,2 , . . . ,n) of the matrix M' 
to the inverting unit 103. 

As described earlier, when transforming the matrix M into 
upper triangular form, the equation transforming unit 102 also 
transforms the vector v so as not to alter the solutions of the 
system of linear equations Mx=v. The difference with the 
conventional triangular transformation lies in that the diagonal 
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elements of the matrix M are not converted to 1. 
(Inverting Unit 103) 

The inverting unit 103 receives the diagonal elements c u 
(1=1,2, ... ,n) of the matrix M' from the equation transforming 
unit 102. 

For simplicity's sake, the diagonal elements c i± 
(1=1,2, ... ,n) of the matrix M' are expressed as m ± (1=1 ,2 , . . . ,n) 
here . 

The inverting unit 103 solves 




n) 



by first calculating 



s 1 =m 1 xm 2 mod p 



s 2 =s 1 xm 3 mod p 



S n-3 =:S n-4 Xm n-2 mo °^ P 



t n =s n _ 3 xm n _ 1 mod p 



t n-l ==S n-3 Xm n mQ< ^ P 



s n =m n _ 1 xm n mod p, 



t n _ 2 =s n _ 4 *s n mod p 



S n-l =m n-2 XS n m ° d P f 



t n-3 =S n-5 XS n-l mOCi P 



S n-2 =Itt n-3 XS n-l mOC * Pf 



t n-4 ==S n-6 XS n-2 m ° d P 



s 5 =m 4 *s 6 mod p, 



t 3 =s I *s 5 mod p 
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s 4 =m 3 xs 5 mod p, t 2 =m 1 xs 4 mod p 

t 1 =m 2 xs 4 mod p 

in this order. The inverting unit 103 then calculates 
t=t k *m k mod p 

using a predetermined value k (chosen from a set of positive 
integers (1, 2, ... , n}) , and thereby solves 

t=JJm ± mod p 

The inverting unit 103 next computes 
u=l/t mod p 

and finally obtains the inverses I i (1=1 ,2 , . . . ,n) by 
I i =uxt i mod p (1=1,2, ... ,n) 

The inverting unit 103 outputs the inverses I ± (1=1,2 , ... ,n) 
to the equation computing unit 104. 

Thus, the inverting unit 103 computes, on GF(p), the inverses 
I. (1=1,2 , ... ,n) of the diagonal elements c u (1=1,2, ... ,n) of the 
matrix M' which are given from the equation transforming unit 
102. 

(Equation Computing Unit 104) 

The equation computing unit 104 receives the matrix AT and 
the vector v' from the equation transforming unit 102, and also 
receives the inverses I ± (1=1,2, ... ,n) from the inverting unit 
103. 
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The equation computing unit 104 sets the values n-1, n-2, ... 
, 2, 1, 0 in counter j one at a time. For counter j, the 
equation computing unit 104 uses the matrix M' , the vector v', 
and the inverses I ± (1=1 ,2 , . . . ,n) to compute 



when j*n-l. 

The equation computing unit 104 then outputs the solutions 
y _. (j=0,l,2, . . . ,n-l) to the inverse computing unit 203. 

The reason that the solutions of the system of linear 
equations in n unknowns can be found by the equation computing 
unit 104 is shown below. 

Since the matrix M' received from the equation transforming 
unit 102 is an upper triangular matrix, the system of linear 
equations M'x=v' can be written as 



Yj =I j+i xd 3+i mod p 



when j=n-l, and compute 




mod p 



c 11 x 0 +c 12 x 1 +c 13 x 2 +- • '+c ln x 1 



c nn x n _ 1 =d n 

with the inverses of the diagonal elements c ii (1=1,2, . . . ,n) 
of the matrix M' being I ± (1=1 ,2 , . . . ,n) . 



Accordingly, the solution y n _ 2 of x n .j is 

Yn-l =I ndn-l mod P 

the solution y n _ 2 of x n _ 2 is 

y n -2 =I n-l ( d n-l~ C n-l m ° d P 

and the solutions (j=n-3,n-4,...,0) of x j are 

(4) Inverse Computing Unit 203 

The inverse computing unit 203 receives the solutions 
(j=0,l,2, . . . ,n-l) from the equation computing unit 104 in the 
equation solving unit 202, and receives the root a from the 
equation generating unit 201. The inverse computing unit 203 
calculates the inverse I according to the equation 

i=y 0 + yi a+ - ' ' + yn-i a "' 1 

using the received solutions y,. (j=0 ,1,2 , . . . ,n-l) and root a. 
The inverse computing unit 203 writes the calculated inverse I 
into the inverse storing unit 204. 

Hence the inverse I of the element x in the extension field 
GF(q) is obtained. 

(5) Inverse Storing Unit 204 

The inverse storing unit 204 is implemented by the hard disk 
and stores the inverse I of the element x of the extension field 
GF (q) . 
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1.2. Operation of the Inversion Apparatus 100 

The following is a description on the operation of the above 
constructed inversion apparatus 100. 

(1) General Operation of the Inversion Apparatus 100 
5 The general operation of the inversion apparatus 100 is 

explained below with reference to Fig. 2. 

The equation generating unit 201 reads the parameter /3, the 
root a, and x 0 , x ir ... , x D _ z from the parameter storing unit 200, 
and uses them to generate the matrix A and the vector B as the 
10 parameters of the system of linear equations AY=B in n unknowns 

for y i (i=0,l,2, ... ,n-l) . The equation generating unit 201 
outputs the generated matrix A and vector B to the constant 
" storing unit 101 in the equation solving unit 202, and outputs 

the root a to the inverse computing unit 203 (S101) . 
]5_ The equation transforming unit 102 in the equation solving 

I unit 202 reads the matrix M and the vector v from the constant 

storing unit 101 and triangular transforms the read matrix M and 
vector v, as a result of which the matrix M' and the vector v' 
for the system of linear equations M'x=v' in n unknowns, that is 
20 equivalent to the system of linear equations Mx=v, are generated 

(S102) . 

The inverting unit 103 in the equation solving unit 202 
calculates the inverses I i (i=l,2 , . . . ,n) of the diagonal elements 
c ii (±=1,2, . . . ,n) of the matrix M' (S103) . 
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The equation computing unit 104 in the equation solving unit 
202, through the use of the matrix M' , the vector v', and the 
inverses I ± (i=l ,2 , . . . ,n) , seeks the solutions y. (j=0 ,1 ,2 , . . . , 
n-1) of the system of linear equations M'x=v', and outputs the 
solutions yj (j=0,l,2, . . . ,n-l) to the inverse computing unit 203 
(S104) . 

The inverse computing unit 203 receives the solutions y^ 
(j=0 ,1 ,2 , . . . ,n-l) from the equation computing unit 104 and the 
root a from the equation generating unit 201, finds the inverse 
I of the element x in the extension field GF (q) using the 
received solutions and root, and writes the inverse I into the 
inverse storing unit 204 (S105) . 

(2) Operation of Triangular Transformation by the Equation 
Transforming Unit 102 

The operation of the triangular transformation by the 
equation transforming unit 102 is explained in detail below with 
reference to Fig. 3. 

The equation transforming unit 102 reads the matrix M and the 
vector v from the constant storing unit 101 (Sill), and sets 
counter j at 1 (S112) . 

The equation transforming unit 102 searches the jth column 
of the matrix M from the jth to nth rows for an element which is 
not 0 on GF(p), and sets the row number of a nonzero element 
found first as k (S113) . Here, if k*j (S114), the equation 
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transforming unit 102 changes places between the kth row and the 
jth row in the matrix M (S115) , and changes places between the 
Jtth row and the jth row in the vector v (S116) . 

The equation transforming unit 102 sets counter i at j+1 
(S117), and makes the following settings using a., (the element 
in the jth row and jth column of the matrix M) and a^: 
a ir 0 

a^a^a^-a^a^ for j+l<;k<n (k=j+l,j+2, . . . f n) 
b^a^b.-a^b. 

(S118) . 

The equation transforming unit 102 then judges whether i=n 
(S119) . If ±*n, the equation transforming unit 102 increments 
counter i by 1 (S122) and returns to step S118 . If i=n, the 
equation transforming unit 102 judges whether j=n-l (S120) . If 
j*n-l, the equation transforming unit 102 increments counter j by 
2 (S123) and returns to step S113. If j=n-l, the equation 
transforming unit 102 sets the matrix M as the matrix M' and the 
vector v as the vector v', and completes the operation. 

As described above, this triangular transformation includes 
transformation processes which correspond to the separate values 
of counter j, and each of the transformation processes includes 
transformation subprocesses which correspond to the separate 
values of counter i. 

(Reason for Equivalence between Mx=v and M'x=v') 
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The reason why the system of linear equations M'x=v' 
generated as a result of the triangular transformation by the 
equation transforming unit 102 is equivalent to the system of 
linear equations Mx=v is given below. 

In each transformation process of the triangular 
transformation, let M in and v in be a matrix and a vector before the 
transformation, M out and v ovt be a matrix and a vector after the 
transformation, and L ± and L j be the ith and jth row vectors of 
the matrix M in . 

The equation transforming unit 102 calculates 

and, having set the resulting row vector as the ith row of 
the matrix M out , calculates 

the outcome of which is set as the ith row of the vector v out . 
The other elements of M out and the other elements of v out are 
respectively equal to the other elements of M in and the other 
elements of v in . This being the case, the system of linear 
equations 

M in ■x=v dn 

and the system of linear equations 

have the same solutions, as demonstrated in document 2. 
Also, the equation transforming unit 102 defines a ±j =0 for 



every i that satisfies j+l<i<n. Repeating this process from j=l 
to j=n renders all elements in the lower triangle of the matrix 
0. Thus, the matrix can be triangular transformed without the 
solutions of the system of linear equations being altered. 

(3) Operation of the Inverting Unit 103 

The operation of the inverting unit 103 is explained in 
detail below with reference to Fig. 4. 

The inverting unit 103 receives the diagonal elements m i ( 
i=l,2 r . . . ,n) of the matrix M' from the equation transforming unit 
102 (S141), and computes 

t i =JJm k (excepting mod p (i=l,2, . . . ,n) 

1 k=l 

(S142) . The inverting unit 103 then computes 
t=t k *m k mod p 

using the predetermined value k (S143), and also computes 
u=l/t mod p 

(5144) . The inverting unit 103 finally finds the inverses 

I i =u*t 1 mod p ,2 , . . . ,n) 

(5145) , and outputs the inverses I\ (i=l ,2, . . . ,n) to the 
equation computing unit 104 (S14 6) . 

(4) Operation of the Equation Computing Unit 104 

The operation of the equation computing unit 104 is explained 
in detail below with reference to Fig. 5. 
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The equation computing unit 104 receives the matrix M' and 
the vector v' from the equation transforming unit 102, and 
receives the inverses (i=l ,2, . . . ,n) from the inverting unit 
103 (S161) . Having set counter j at n-1 (S162) , the equation 
computing unit 104 computes 



when jVn-2 (S163) . 

The equation computing unit 104 judges whether j=0 (S164). 
If j=0, the equation computing unit 104 outputs the solutions y. 
(j=0 ,1 ,2 , . . . ,n-l) to the inverse computing unit 203 (S166) . 
Otherwise, the equation computing unit 104 decrements counter j 
by 2 (S165) and returns to step S163. 
1.3. Computational Complexity 

The computational complexity of the equation solving unit 202 
is evaluated below. 

(1) Computational complexity of the Equation Transforming Unit 
102 

In the equation transforming unit 102, computational 
complexity for one value of counter j (steps S113-S119 in Fig. 3) 
is the following. 



yj =I 3+i xd 3+i mod P 



when j=n-l, and computes 




mod p 



45 



First, computational complexity for one value of counter i 
(step S118) is broken down as shown below. 

(a) In step S118, the calculation a^a^xa^-a^xa^ is 
performed for j+l^k^n (k=j+l ,j+2 , . . . ,n) . This means two 
multiplications are repeated (n- (j+1) +1) = (n-j ) times, so that 
computational complexity is (2* (n-j ) )Mul. 

(b) In step S118, the calculation b^a^ xb ± -a dj xjh, involves two 
multiplications, so that computational complexity is 2Mul. 

Since counter i changes from j+1 to n, the computational 
complexity of steps S113-S119 for one value of counter j is 



In steps S112-S120, counter j changes from 2 to n-1, so that 
the overall computational complexity of the equation transforming 
unit 102 is 



(2x (n-j+1) )Mul*(n- (j+1) +1) 



= (2*(n-j) x (n-j+1) )Mul 




=2Mul x (l/6*n (n -1) (2n -1) +1/2 *n (n -1) ) 



=2Mul*l/6xn(n-l) (2n-l+3) 



=l/3Mul xn (n -1) <2n +2) 



= (2/3xn(n-l) (n+l))Mul 
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(2) Computational Complexity of the Inverting Unit 103 

The computational complexity of the inverting unit 103 can 
be broken down as follows. 

(a) Finding s 2 ~s n _ 3 and t n requires n-2 multiplications, so 
that computational complexity is (n-2)Mul. 

(b) Finding t n _ 1 requires one multiplication, so that 
computational complexity is lMul. 

(c) Finding s n and t a _ 2 , s n _ x and t B _ 3 , ... , and s 4 and t 2 
requires 2* (n-3) multiplications, so that computational 
complexity is (2* (n-3) )Mul . 

(d) Finding t 2 requires one multiplication, so that 
computational complexity is lMul. 

(e) Finding t requires one multiplication, so that 
computational complexity is lMul. 

(f) Finding u=l/t mod p requires one inversion, so that 
computational complexity is llnv. 

(g) Finding I i =u*t i mod p (i=l ,2, . . . ,n) requires n 
multiplications, so that computational complexity is nMul. 

Summing these computational complexity gives the total 
computational complexity of the inverting unit 103 as 
( (n-2) +1+2 (n-3) +l+l+n) Mul+llnv 
= (4n-5)Mul+lInv 

(3) Computational Complexity of the Equation Computing Unit 104 

In the equation computing unit 104, computational complexity 
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for one value of counter j (steps S163-S165 in Fig. 5) is as 
follows . 

To compute 

yj =I ]+i xd j+i mod P 
when j=n-l and 

when j*n-l, one multiplication and (n- (j + 1) +1) 
multiplications are needed, which makes the computational 
complexity of (n-j+l)Mul. 

Since counter j changes from 1 to n, the total computational 
complexity of the equation computing unit 104 is 

£ (n-j+l)Mul 

3=1 
3=1 

= (l/2*n (n+l))Mul 

(4) Total Computational Complexity of the Equation Solving Unit 
202 

From the foregoing description, the total computational 
complexity of the equation solving unit 202 is given by 
(2/3xn (n-1) (n+1) )Mul 
+ (4n-5)Mul+lInv 
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+ (l/2*n (n+l))Mul 
= (l/6(4n+3n+23n-30))Mul + Hnv 
Supposing Hnv=40Mul in a general-purpose computer when n=5 
and \q\=160 (\q\ is the bit size of g) , the total computational 
5 complexity of the equation solving unit 202 can be estimated at 

150Mul. 

Thus, the computational complexity of the equation solving 
unit 202 of the invention is much smaller than that of the prior 
art. Such an equation solving unit bears huge practical value, 
1Q as it enables an apparatus to solve a system of equations on a 

finite field with reduced computational complexity. 

Also, such an equation solving unit enables an apparatus to 
compute an inverse I of an element x in an extension field GF(q) 
of a predetermined finite field GF (p) with reduced computational 
la, complexity. 

1.4. Concrete Example 

The following is a concrete example of the operation of the 
equation solving unit 202. 

As with the prior art 3, a prime p=31, a generator polynomial 
20 f(g)=g 5 -2, and an element x=5a +29C? +6a +19a+ll of GF(q) are given. 

A system of equations to be solved is the same as that in the 
prior art 3, as shown in Fig. 6(a). 

The following calculations are performed: 
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a 22 =l 7x2 7-19x10=6 mod 31 
a 23 =17xl0-19*27=29 mod 31 
a 24 =17*27-19xl2=14 mod 31 
a 25 =17xl2-19x7=9 mod 31 
b 2 =17x0-19xl=12 mod 31 
When j=l {1=2), the system of equations is transformed as 
shown in Fig. 6(b). Here, the element in the first column and 
second row has become 0 in a coefficient matrix 411. 

As a result of the transformation process for j=l, the system 
of equations has become as shown in Fig. 6(c), where the elements 
in the first column and third to fifth rows are 0 in a 
coefficient matrix 421. 

As a result of the transformation process for j=2, the system 
of equations has become as shown in Fig. 6(d), where the elements 
in the second column and third to fifth rows are 0 in a 
coefficient matrix 431. 

As a result of the transformation process for j=3, the system 
of equations has become as shown in Fig. 6(e), where the elements 
in the third column and fourth to fifth rows are 0 in a 
coefficient matrix 441. 

As a result of the transformation process for j=4, the system 
of equations has become as shown in Fig. 6(f), where the element 
in the fourth column and fifth row is 0 in a coefficient matrix 
451. 
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Next, the diagonal elements in the coefficient matrix 451 are 
inverted by calculating 

s 1 =m 1 xm 2 =l 7^6=9 mod 31 

s 2 =s 1 xm 3 =9x!7=29 mod 31 

t 5 =s 2 xm 4 =29*6=19 mod 31 

t 4 =s 2 xm 5 =29x30=2 mod 31 

s 5 =m 4 xm 5 =6x30=25 mod 31 
t 3 =s 1 xs 5 =9x25=8 mod 31 

s 4 =m 3 xs 5 =17x25=22 mod 31 
t 2 =m 1 xs 4 =17x22=2 mod 31 

t 1 =m 2 xs 4 =6x22=8 mod 31 

t=m 1 xt 1 =17x8=12 mod 31 

u=l/t=l/12=13 mod 31 

I 1 =u*t 1 =13x8=ll mod 31 

I 2 =uxt 2 =13x2=26 mod 31 

I 3 =uxt 3 =13x8=ll mod 31 

I 4 =u*t 4 =13*2=26 mod 31 

I 5 =uxt 5 =13xl9=30 mod 31 
Notice that u=l/t=l/12=13 mod 31 is the only inverse 
operation here. 

Lastly, the system of equations is solved in the following 

way: 

y 4 =I 5 xd 5 =30*2=29 mod 31 
y 3 =I 4 * (d 4 -c 45 xy 4 ) 
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=26* (28-2x29) =26 mod 31 
y 2 =I 3 x (d 3 -c 34 *y 3 -c 35 *y 4 ) 

=11 x (1-6x26-11x29) =25 mod 31 
y 1 =I 2 x (d 2 -c 23 xy 2 -c 24 *y 3 -c 25 xy 4 ) 

=26x (12-29x25-14x26-9x29) 

=25 mod 31 
y 0 =I 1 x (d 2 -c 12 x Yl -c 13 xy 2 -c 14 *y 3 -c 15 xyj 

=11* (1-10*25-27x25-12x26-7x29) 

=12 mod 31 



1.5. Applications 

In application of the present invention to an actual 
communication system such as a cryptographic communication 
system, a digital signature communication system, or an error 
correction communication system, parameters such as follows are 
used. 

For a prime p=2 31 -l, ■■ q=p" , n=5 , a generator polynomial 
f(g)=g 5 -g-8, and an element x=x 0 +x 1 x a +x 2 xcx+x 3 xa 3 +x 4 xa of GF (q) , a 
system of equations is defined as 



x Q 8x 4 8x 3 8x 2 8x 1 
x 2 x Q +x 4 x 3 +8x 4 x 2 +8x 3 x 1 +8x 2 

X 2 X l X 0 +X 4 X 3 +8X 4 X 2 +8X 3 

x 3 x 2 x x x 0 +x 4 k 3 +8x 4 
x 4 x 3 x 2 x 1 x Q +x 4 





0 



0 



0 



V') 



0 



\ 
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where p, x Qf ... , x 4 , and y 0 , ... , y 4 are each 31 bits long, 
and q and x are each 155 bits long. 
2. Modifications 
2.1. Variant 

As a variant of the equation transforming unit 102 in the 
equation solving unit 202, an equation transforming unit 102a is 
explained below. 

In the equation transforming unit 102a, each transformation 
process has one coefficient group calculation process and 
subsequent transformation subprocesses as many as object 
equations, each for transforming a separate one of the object 
equations . 

In the coefficient group calculation process, the equation 
transforming unit 102a chooses m nonzero coefficients by taking 
one nonzero coefficient from each of the pivotal equation and the 
object equations in the coefficient matrix consisting of n rows 
and n columns, multiplies each combination of (m-1) of the chosen 
nonzero coefficients, and sets the m multiplication results into 
a first coefficient group. The equation transforming unit 102a 
then multiplies each of a constant and n coefficients of the 
pivotal equation by the multiplication result in the first 
coefficient group for a combination of nonzero coefficients that 
does not include the nonzero coefficient of the pivotal equation, 
and sets n+1 values obtained as a result into a second 
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coefficient group. 

Following this, in each of the transformation subprocesses 
the equation transforming unit 102a changes a nonzero coefficient 
chosen from an object equation to 0, multiplies each of a 
constant and n coefficients of the object equation by the 
multiplication result in the first coefficient group for a 
combination of nonzero coefficients that does not include the 
nonzero coefficient of the object equation, and subtracts the n+1 
values in the second coefficient group respectively from the n+1 
multiplication results. 

The operation of the equation transforming unit 102a is 
explained below with reference to Fig. 7. The flowchart in Fig. 
7 includes steps S118a~S118c instead of step S118 in Fig. 3. 

Since the other steps are the same as those in Fig. 3, the 
following explanation will focus on steps S118a~S118c. 

In step S118a, the equation transforming unit 102a 
computes 

h k = JJ a mj (except a kj ) 

for each k that satisfies j<k<:n (k=j ,j+l , . . . ,n) . In step 
S118b, the equation transforming unit 102a computes 

e=V^ 
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for each k that satisfies j+l^k^n (k=j+l ,j+2 , . . . ,n) . In step 
S118c, having set a dJ =0, the equation transforming unit 102a 
computes 

a ik =h^a lk -w k 
b i =h i xb ± -e 

for each k that satisfies j+l<rk<n (k=j+l ,j+2 , . . . ,n) . 
(Concrete Example) 

An example of the operation of the equation transforming unit 
102a is shown below. 

As with the prior art 3, a prime p=31, a generator polynomial 
f(g)=g 5 -2 r and an element x=5a 4 +29c? + 6a +19a+17 of GF (q) are given. 
A system of equations to be solved is the same as that in the 
prior art 3, as shown in Fig. 8(a). 

When the equation transforming unit 102a calculates 

s 1 =a 11 xa 21 =l 7x19=13 mod 31 
s 2 =s 1 *a 31 =13*6=16 mod 31 
h 5 =s 2 *a 41 =16*29=30 mod 31 
h 4 =s 2 xa 51 =16*5=18 mod 31 
s 5 =a 41 xa 51 =2 9x5=21 mod 31 
h 3 =s 1 xs 5 =13x21=25 mod 31 
s 4 =a 31 xs 5 =6x21=2 mod 31 
h 2 =a n *s 4 =17x2=3 mod 31 
h 1 =a 21 xs 4 =19x2=7 mod 31 
and then calculates 
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w 2 =h 1 ^a 12 =7xlO=8 mod 31 
w 3 =h 1 *a 13 =7*27=3 mod 31 
w 4 =h 1 xa 14 =7*12=22 mod 31 
w 5 =h 1 xa 15 =7*7=18 mod 31 
e=h 1 xb 1 =7xl=7 mod 31 
When i=2 (j=l) , the equation transforming unit 102a 
calculates 

a 21 =0 

a 22 =h 2 xa 22 -w 2 =3xl7-8=12 mod 31 

a 23 =h 2 xa 23 -w 3 =3 x 10-3=2 7 mod 31 

a 24 =h 2 xa 24 -w =3x27-22=28 mod 31 

a 25 =h 2 xa 25 -w 5 =3x!2-18=18 mod 31 

b 2 =h 2 xb 2 -e=3x 0-7=24 mod 31 
According to this method, only one multiplication is needed 
to find a ik unlike the first embodiment which needs two 
multiplications, so that computational complexity is further 
reduced. 

With the above computations, the system of equations is 
transformed as shown in Fig. 8(b), where the element in the first 
column and second row has become 0 in a coefficient matrix 511. 

As a result of the transformation process for j=l, the system 
of equations has become as shown in Fig. 8(c), where the elements 
in the first column and third to fifth rows are 0 in a 
coefficient matrix 521. 
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Next, when 3=2, the equation transforming unit 102a 
calculates 

s 1 =a 22 *a 32 =12x2=24 mod 31 

h 5 =s 1 *a 42 =24><7=13 mod 31 

h 4 =s 1 xa 52 =24*25=ll mod 31 

s 4 =a 42 xa 52 =7*25=20 mod 31 

h 3 =a 22 *s 4 =12x20=23 mod 31 

h 2 =a 32 xs 4 =2*20=9 mod 31 
and then calculates 

w 3 =h 2 xa 23 =9*27=26 mod 31 

w 4 =h 2 *a 24 =9*28=4 mod 31 

w 5 =h 2 xa 25 =9xl8=7 mod 31 

e=h 2 xb 2 ^9x24=30 mod 31 
As a result of the transformation process for j=2, the system 
of equations has become as shown in Fig. 8(d), where the elements 
in the second column and third to fifth rows are 0 in- a 
coefficient matrix 531. 

Next, when j=3, the equation transforming unit 102a 
calculates 

h 5 =a 33 xa 43 =8x!4=19 mod 31 
h 4 =a 33 xa 53 =8x!2=3 mod 31 
h 3 =a 43 *a 53 =14xl2=13 mod 31 
and then calculates 

w 4 =h 3 xa 34 =13xl=13 mod 31 
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w 5 =h 3 xa 35 =l 3x7=29 mod 31 
e=h 3 xb 3 =13x26=28 mod 31 
As a result of the transformation process for j=3, the system 
of equations has become as shown in Fig. 8 (e) , where the elements 
in the third column and fourth to fifth rows are 0 in a 
coefficient matrix 541. 

Next, when j=4, the equation transforming unit 102a 
calculates 

h 5 =a 44 =16 mod 31 
h 4 =a 54 =14 mod 31 
and then calculates 

w 5 =h 4 xa 45 =l 4^2 6=23 mod 31 
e=h 4 xb 4 =l 4x2 3=12 mod 31 
As a result of the transformation process for j=4, the system 
of equations has become as shown in Fig. 8(f), where the element 
in the fourth column and fifth row is 0 in a coefficient matrix 
551. 

Here, let C=A and D=B, and the diagonal elements are inverted 
by computing 

s 1 =m 1 xm 2 =17xl2=18 mod 31 
s 2 =s 2 xm 3 =18x8=20 mod 31 
t 5 =s 2 xm 4 =20x!6=10 mod 31 
t 4 =s 2 xm 5 =2 0x22=6 mod 31 
s 5 =m 4 xm 5 =l 6x22=11 mod 31 
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t 3 =s 1 xs 5 =18*ll=12 mod 31 
s 4 =m 3 *s 5 =8xll=26 mod 31 

t^m^s =11*26=8 mod 31 
t 1 =m 2 xs 4 =12x26=2 mod 31 
t=m 1 *t 1 =17x2=3 mod 31 
u=l/t=l/3=21 mod 31 
I 1 =u*t 1 =21x2=ll mod 31 
1 2 =u*t 2 =21x8=13 mod 31 
I 3 =uxt 3 =21xl2=4 mod 31 
I 4 =u*t 4 =21x6=2 mod 31 
I 5 =uxt 5 =21xl0=24 mod 31 
Notice that u=l/t=l/3=21 mod 31 is the only inverse operation 

Lastly, the system of equations is solved as follows: 
y 4 =I 5 xd 5 =2 4*18=29 mod 31 
y 3 =I 4 x(d 4 -c 45 xy 4 ) 

=2* (23-26x29) =26 mod 31 
y 2 =I 3 x (d 3 -c 34 xy 3 -c 35 xy 4 ) 

=4x (26-1x26-7*29) =25 mod 31 

Yl=I 2 X (d 2 - C 23 X Y2- C 24 X Y3- C 25 X Y4) 

=13* (24-27x25-28x26-18*29) 
=25 mod 31 
y 0 =I 1 x (d^c^xy-c^xy^c^ *y 3 -c 15 xy 4 ) 
=llx (1-10x25-27x25-12x26-7x29) 
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=12 mod 31 

(Computational Complexity of the Equation Transforming Unit 
102a) 

Computational complexity of the equation transforming unit 
102a for one value of counter j {steps S113-S119 in Fig. 7) is 
measured below. 

In step S118a, (3* (n-j+1) -6) multiplications are needed to 
find h k (k=j ,j+l , . . . ,n) , so that computational complexity is 
(3* (n-j+1) -6) Mul. 

In step S118b, (n- (j+1) +1+1) multiplications are needed to 
find w k (k=j+l,j+2, . . . ,n) and e, so that computational complexity 
is (n-j+1) Mul. 

In step S118c, for one value of counter i, computational 
complexity is as follows. 

(a) To compute a ik =h i *a ik -w k for j+l^k^n (k=j+l ,j+2 , . . . ,n) , one 
multiplication is repeated (n- (j+1) +1) = (n-j ) times, so that 
computational complexity is (n-j) Mul. 

(b) To compute J b i =h i x J b i -e, one multiplication is performed, 
so that computational complexity is lMul. 

Since counter i changes from j+1 to n, the computational 
complexity of step S118c for all values of counter i is 
(n-j+1) Mul* (n- (j+1) +1) 
= ( (n-j) x (n-j+1) )Mul 
Accordingly, the total computational complexity of steps 
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S118a~S118c for one value of counter j is 



( (3x (n-j+1) -6) + (n-j+1) + (n-j) (n-j+l))Mul 



= (4* (n-j+1) -6+ (n-j) (n-j+1) )Mul 



= ((n-j + 4) (n-j+1) -6)Mul 



Since counter j changes from 1 to n-1, the total 
computational complexity of the equation transforming unit 102a 
is 



=lMulx <l/6xn(n-l) (2n-l) +5/2 xn (n-1) -2 (n-1) ) 
=lMul x (l/6x n (n -1) (2n -1 +15) -2 (n-1)) 
=lMulx (l/6*n(n-l) (2n+14) -2 (n-1) ) 
=lMulx (l/3x n (n-l) (n+1) -2 (n-1) ) 
=lMulx (1/3 x (n-1) (n 2 +7n-6)) 
= (1 /3 xn 3 +2n 2 -1 3/3 xn +2) Mul 



Therefore, the overall computational complexity of the 
equation solving unit 202 equipped with the equation transforming 
unit 102a is given by 

( (l/3xn 3 +2n-13/3x n +2) + (4n-5) +1/2 xn (n+1)) Mul 
+llnv 

= (l/3xn 3 +5/2x n 2 +l/6xn-3)Mul+lInv 
Supposing Hnv=40Mul when n=5, the overall computational 



2^ ( (n -j +4) (n -j +1) -6) Mul 




complexity can be estimated at 142Mul. 
2.2. Oth er Modifications 

(1) In a communication system, such as a cryptographic 
communication system, a digital signature communication system, 
or an error correction communication system, whose security is 
based on the discrete logarithm problem on an elliptic curve E 
over an extension field GF(q) of a finite field GF(p) where p is 
a prime, q=p n , n is a positive integer, and G is a base point of 
E, the equation solving unit and the inversion apparatus of the 
invention may be used to calculate inverses of elements in the 
extension field GF ( q) . One example of cryptographic 
communication systems is an e-mail system on the Internet whereby 
messages are encrypted before transmission. One example' of 
digital signature communication systems is an electronic banking 
system. One example of error correction communication systems is 
an e-mail system whereby, in such cases that part of transmitted 
message is dropped due to deterioration in quality of a 
communication line, the error is detected and corrected. 

Also, the equation solving unit and the inversion apparatus 
of the invention may be used for encryption in a recording 
apparatus that encrypts copyrighted digital content using the 
elliptic curve discrete logarithm problem as the basis for 
security and records the encrypted digital content into a record 
medium such as a DVD or a semiconductor memory, or decryption in 
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a reproducing apparatus that decrypts the encrypted digital 
content stored in the record medium to reproduce the digital 
content . 

By applying the invention to these systems, the inverses of 
extension field elements can be computed with small computational 
complexity. 

In such applications, the equation solving unit and the 
inversion apparatus of the invention can be implemented, for 
example, as firmware stored in a mobile phone or a circuit board 
equipped in a personal computer. 

(2) Though the generator polynomial of the form g n -j3 has been 
used in the above embodiment, for an ordinary generator 
polynomial of the nth degree such as 

f(g)=0 n g n +0 n _ 1 g n ' 1 +- • • +/3 2 g 2 +/3 1 g+/3 

the inverse I of an element x in an extension field GF (q) 
{q=p n , n a positive integer) of a predetermined finite field 
GF(p) can be calculated in a similar manner. 

Let an ordinary polynomial f (g) of the nth degree be the 
generator polynomial and a be the root of f (g) . For an element 
x=x 0 +x 1 a+ ■ ■ ■ +x n _ 1 a' 1 in the extension field GF(q), when the 
coefficient of ot' 1 in (xxq? -1 mod f(a)) is denoted by a ijf a system 
of linear equations in n unknowns can be written as 
a nYo +a i2Yi +a i&2 + ' " +a mY n -i =1 

a 2lYo +a 2 2 Yl +a 23Y2 + ' ' ' +a 2nYn-r° 
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a n lY0 +a n2Yl + a n 3 Y2 + - ' ' +a nnY n -l =0 

The reason that the system of linear equations in n unknowns 
can be written like this is given below. 
The equations 

x xl=x *y 0 +x xy 2 xa+ • • • +x xy^cP' 1 
=2 mod f (a) 

and 

xxy 0 +xxy 1 xa+ • • • +Xxy n _ 1 cP~ 1 

=xxy 0 + (xxa mod f (a) ) *y 2 + - • • + (xxcf' 1 mod f (a) ) xy n _ J 

hold- The coefficient of at' 1 is given by 
a ii*Y 0 +a i2 x Yi+- -'+ a in*Yn-l 

The coefficients of a 1 ' 1 {i>2) are all 0 and the coefficient 
of a° (i=2) is 2. Hence the above system of linear equations in 
n unknowns is derived. 

(3) The invention may be the equation solving method and the 
inversion method used in the above described equation solving 
unit and inversion apparatus. The invention may also be computer 
programs for implementing these methods, or digital signals for 
executing the computer programs. 

Also, the invention may be computer-readable storage mediums, 
such as floppy disks, hard disks, CD-ROMs, MOs, DVDs, DVD-ROMs, 
DVD-RAMS, or semiconductor memories, that store the computer 
programs or the digital signals. Likewise, the invention may be 
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the computer programs or digital signals stored in such storage 
mediums . 

Also, the invention may be realized by transferring the 
computer programs or the digital signals on a carrier wave via a 
network such as a telecommunication network, a radio or cable 
communication network, or the Internet. 

Further, the invention may be realized by distributing the 
computer programs or the digital signals stored in the storage 
mediums or transferring the computer programs or the digital 
signals on the carrier wave via the network so that they can be 
used in other computer systems. 

(4) Various combinations of the embodiment and the 
modifications stated above are possible. 

Although the present invention has been fully described by 
way of examples with reference to the accompanying drawings, it 
is to be noted that various changes and modifications will be 
apparent to those skilled in the art. Therefore, unless such 
changes and modifications depart from the scope of the present 
invention, they should be construed as being included therein. 
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What is claimed is: 



1 1. An apparatus for use in encryption or decryption, for 

2 solving a system of linear equations Ax=b in n unknowns on a 

3 finite field GF (p) , where p is a prime, n is a positive integer, 

4 A is a coefficient matrix consisting of elements of n rows and n 

5 columns, x is a vector of unknowns consisting of n elements, and 

6 b is a constant vector consisting of n elements, the apparatus 

7 comprising: 

8 parameter storing means for storing the coefficient matrix 
a A and the constant vector b; 

W triangular transforming means for reading the coefficient 

11: matrix A and the constant vector b from the parameter storing 

12 : means, and transforming the read coefficient matrix A and 

13- constant vector b to generate a coefficient matrix C and a 

14 constant vector d for a system of linear equations Cx=d in n 

15- unknowns that is equivalent to the system of linear equations 

16 Ax=b, the coefficient matrix C consisting of elements of n rows 

17 and n columns and the constant vector d consisting of n elements, 

18 wherein the coefficient matrix A is triangular transformed into 

19 the coefficient matrix C of upper triangular form without 

20 diagonal elements of the coefficient matrix A being changed to 

21 2 ; 

22 diagonal element inverting means for calculating inverses of 

23 diagonal elements of the generated coefficient matrix C on the 
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24 finite field GF(p); and 

25 equation computing means for solving the system of linear 

26 equations Cx=d using the coefficient matrix C, the constant 

27 vector d, and the inverses of the diagonal elements of the 

28 coefficient matrix C, to thereby solve the system of linear 

29 equations Ax=b. 

1 2. The apparatus of Claim 1, 

2 wherein the triangular transforming means performs one or 
& more successive transformation processes to generate the 
ID coefficient matrix C and the constant vector d of the system of 
5- linear equations Cx=d from the coefficient matrix A and the 
6" constant vector b of the system of linear equations Ax=b, 

7- wherein in each transformation process the triangular 

8 transforming means transforms a coefficient matrix and a constant 

9: vector of a system of linear equations in n unknowns, into a 

lb" coefficient matrix and a constant vector of a system of linear 

11 equations in n unknowns that is equivalent to the system of 

12 linear equations before the transformation, where the system of 

13 linear equations Ax=b is subjected to the first transformation 

14 process and the system of linear equations Cx=d is generated as 

15 a result of the last transformation process, 

16 wherein in each transformation process the system of linear 

17 equations in n unknowns that is subjected to the transformation 
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18 includes one pivotal equation which is a linear equation serving 

19 as a pivot for the transformation and one or more object 

20 equations which are linear equations to be transformed, and the 

21 triangular transforming means transforms each of the object 

22 equations into an equation equivalent to the object equation by 

23 defining a first coefficient group containing at least one 

24 value related to the pivotal equation and a second coefficient 

25 group containing n+1 values related to the pivotal equation, 

26 changing a nonzero coefficient in the object equation to 0, 

27 and 

28j multiplying each of a constant and n coefficients in the 

29 object equation by the value in the first coefficient group, and 

Sff" subtracting the n+1 values in the second coefficient group 

3L respectively from the n+1 multiplication results. 

1 3. The apparatus of Claim 2, 

2 wherein each transformation process has transformation 

3 subprocesses each for transforming a separate one of the object 

4 equations, 

5 wherein in each transformation subprocess the triangular 

6 transforming means 

7 (a) chooses a nonzero coefficient from the pivotal equation 

8 and sets the chosen nonzero coefficient into the first 

9 coefficient group, 



68 



10 (b) chooses a nonzero coefficient from the object equation, 

11 multiplies each of a constant and n coefficients in the pivotal 

12 equation by the nonzero coefficient chosen from the object 

13 equation, and sets n+1 values obtained by the multiplications 

14 into the second coefficient group, 

15 (c) changes the chosen nonzero coefficient in the object 

16 equation to 0, and 

17 (d) multiplies each of a constant and n coefficients in the 

18 object equation by the nonzero coefficient in the first 
19= coefficient group, and subtracts the n+1 values in the second 
20. coefficient group respectively from the n+1 multiplication 
21: results. 

1- 4. The apparatus of Claim 3, 

2 wherein when the diagonal elements of the coefficient matrix 

3 C are denoted by m i (i=l ,2 , . . . ,n) and the inverses of the 

4 diagonal elements m i (i=l ,2 , . . . ,n) in the finite field GF (p) are 

5 denoted by I L (i=l ,2 , . . . ,n) , the diagonal element inverting means 

6 includes 

7 (a) a multiplying unit for computing 

t . =/Tm u ■ (except m .) mod p (i=l ,2 , . . . ,n) 
9 k=i 

10 and 

11 t=JJm k mod p 
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12 (b) a first inverting unit for computing 

13 u=l/t mod p 

14 and 

15 (c) a second inverting unit for computing 

16 I 1 =uxt i mod p (i=l ,2 , . . . ,n) 

17 to find the inverses I. (L=l ,2 , . . . ,n) . 

1 5. The apparatus of Claim 4, 

2 wherein the multiplying unit calculates 
3f s i =m i * m 2 mod P 

4J s 2 =s 1 *m 3 mod p 

6^: S n-3 =S n-4 Xm n-2 m ° d P 

7=3 in the stated order, then calculates 

8j t n =S n-3 Xm n-l m ° d P 

9i} t n-l =S n-3 Xm n m ° d P 

10 s n =m n _ 1 xm n mod p 

11 t n-2 =S n-4 XS n m ° d P 

12 S n-l =m n-2 XS n m ° d P 

13 t n-3 =S n-5 XS n-l m ° d P 

14 S n-2 =m n-3 XS n-l m ° d P 

15 t n-4 ==S n-6 XS n-2 m ° d P 

16 i 

17 s 5 =m 4 *s 6 mod p 
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18 t 3 =S l XS 5 m ° d P 

19 S 4 =m 3 XS 5 m ° d P 

20 t 2 =m 1 xs 4 mod p 

21 t 1 =m 2 xs 4 mod p 

22 in the stated order, and lastly calculates 

23 t=t i xm J . 

24 for a value j chosen from a set of positive integers 

25 {1,2,. . . ,n}. 

1- 6. The apparatus of Claim 2, 

2, wherein each transformation process has a coefficient group 

3- 1 calculation process and transformation subprocesses, performed 

4- " following the coefficient group calculation process, each for 
5 r transforming a separate one of the object equations, 

6 wherein in the coefficient group calculation process the 

7! triangular transforming means 

8 (a) chooses m nonzero coefficients by taking one nonzero 

9 coefficient from each of the pivotal equation and the object 

10 equations, multiplies each combination of (m-1) of the chosen 

11 nonzero coefficients, and sets the m multiplication results into 

12 the first coefficient group, m being a positive integer no 

13 smaller than 2, and 

14 (b) multiplies each of a constant and n coefficients in the 

15 pivotal equation by a multiplication result in the first 
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16 coefficient group for a combination of nonzero coefficients that 

17 does not include a nonzero coefficient chosen from the pivotal 

18 equation, and sets n+1 values obtained by the multiplications 

19 into the second coefficient group, and 

20 wherein in each of the transformation subprocesses following 

21 the coefficient group calculation process, the triangular 

22 transforming means 

23 (a) changes a nonzero coefficient chosen from the object 

24 equation in the coefficient group calculation process, to 0 in 

25 =j the object equation, and 

26? (b) multiplies each of a constant and n coefficients in the 

27i! object equation by a multiplication result in the first 

28- coefficient group for a combination of nonzero coefficients that 

29- = does not include the nonzero coefficient chosen from the object 
30J equation, and subtracts the n+1 values in the second coefficient 
313 group respectively from the n+1 multiplication results. 

1 7. The apparatus of Claim 6, 

2 wherein when the diagonal elements of the coefficient matrix 

3 C are denoted by m ± (i=l,2, . . . ,n) and the inverses of the 

4 diagonal elements in, (i=l,2, . . . ,n) in the finite field GF(p) are 

5 denoted by I ± (i=l ,2 , . . . ,n) , the diagonal element inverting means 

6 includes 

7 (a) a multiplying unit for computing 
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t i =]Jm k (excepting mod p (i=l ,2 , . . . ,n) 

9 1 k=1 

10 and 

11 t=JJm k mod p 

k=l 

12 

13 (b) a first inverting unit for computing 

14 u=l /t mod p 

15 and 

16 (c) a second inverting unit for computing 
17- I.=uxt i mod p (i=*l,2,. . . ,n) 

la. to find the inverses I ± (i=l ,2 , . . . f n) . 

\- 8. The apparatus of Claim 7, 

2_ wherein the multiplying unit calculates 

\ s 1 =m 1 xm 2 mod p 

= C s 2 =s 1 ^m 3 mod p 

5 = 

6 S n-3~ S n-4 Xm n-2 m ° d P 

7 in the stated order, then calculates 

8 t n~ S n-3 Xm n-1 mOCi P 

9 t n-l =S n-3 ><m n m ° d P 

10 S n =m n-1 * m n mC "^ P 

11 t n -2 =S n-4 * S n m ° d P 

12 S n -l =m n-2* S n m0< ^ P 
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13 t n-3 s=S n-5 XS B-l m ° d P 

14 S n-2 =ICl n-3 XS n-l mOC? P 

15 t n _ 4 =s n _ 6 xs n _ 2 mod p 

16 ; 

17 s 5 =m 4 *s 6 mod p 

18 t 3 =s I xs 5 mod p 

19 s 4 =m 3 *s s mod p 

20 t 2 =m 1 xs 4 mod p 

21 t 1 =m 2 xs 4 mod p 

22 : in the stated order, and lastly calculates 

23- t=tjxm 3 

24=" for a value j chosen from a set of positive integers 

25- {1,2,. .. r n). 

1 9. An apparatus for use in encryption or decryption, for 

2_ computing an inverse I of an element y in GF(q) which is an 

3 extension field of a finite field GF(p) , where p is a prime, 

4 q=p", and n is a positive integer, the apparatus comprising: 

5 equation generating means for generating a coefficient matrix 

6 A and a constant vector b for a system of linear equations Ax=b 

7 in n unknowns, using the element y and all coefficients of a 

8 generator polynomial of GF (q) whose root is a-, 

9 equation solving means for finding solutions of the system 
10 of linear equations Ax=b, the equation solving means including 
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the apparatus of Claim 1; and 

inverse computing means for computing the inverse I using the 
root a and the solutions found by the equation solving means. 

10. An apparatus for use in encryption or decryption, for 
computing an inverse I of an element y in GF (q) which is an 
extension field of a finite field GF(p) r where p is a prime, 
q=p n , and n is a positive integer, the apparatus comprising: 

equation generating means for generating a coefficient matrix 
A and a constant vector b for a system of linear equations Ax=b 
in n unknowns, using the element y and all coefficients of a 
generator polynomial of GF(q) whose root is a; 

equation solving means for" finding solutions of the system 
of linear equations Ax=b, the equation solving means including 
the apparatus of Claim 2; and 

inverse computing means for computing the inverse I using the 
root a and the solutions found by the equation solving means. 

11. An apparatus for use in encryption or decryption, for 
computing an inverse I of an element y in GF(q) which is an 
extension field of a finite field GF(p), where p is a prime, 
q=p n , and n is a positive integer, the apparatus comprising: 

equation generating means for generating a coefficient matrix 
A and a constant vector b for a system of linear equations Ax=b 
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in n unknowns, using the element y and all coefficients of a 
generator polynomial of GF(q) whose root is a; 

equation solving means for finding solutions of the system 
of linear equations Ax=b, the equation solving means including 
the apparatus of Claim 3; and 

inverse computing means for computing the inverse I using the 
root a and the solutions found by the equation solving means. 

12. An apparatus for use in encryption or decryption, for 
computing an inverse I of an element y in GF (q) which is an 
extension field of a finite field GF(p) r where p is a prime, 
q=p n , and n is a positive integer, the apparatus comprising: 

equation generating means for generating a coefficient matrix 
A and a constant vector b for a system of linear equations Ax=b 
in n unknowns, using the element y and all coefficients of a 
generator polynomial of GF (q) whose root is a; 

equation solving means for finding solutions of the system 
of linear equations Ax=b, the equation solving means including 
the apparatus of Claim 4; and 

inverse computing means for computing the inverse I using the 
root a and the solutions found by the equation solving means. 

13. An apparatus for use in encryption or decryption, for 
computing an inverse I of an element y in GF (q) which is an 
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3 extension field of a finite field GF(p), where p is a prime, 

4 q=p n r and n is a positive integer, the apparatus comprising: 

5 equation generating means for generating a coefficient matrix 

6 A and a constant vector b for a system of linear equations Ax=b 

7 in n unknowns, using the element y and all coefficients of a 

8 generator polynomial of GF(g) whose root is a; 

9 equation solving means for finding solutions of the system 

10 of linear equations Ax=b, the equation solving means including 

11 the apparatus of Claim 5; and 

12- inverse computing means for computing the inverse I using the 

13- root a and the solutions found by the equation solving means. 

1- 14. An apparatus for use in encryption or decryption, for 

2\ computing an inverse J of an element y in GF (q) which is an 

3^ extension field of a finite field GF (p) , where p is a prime, 

4 q=p n r and n is a positive integer, the apparatus comprising: 

5 equation generating means for generating a coefficient matrix 

6 A and a constant vector b for a system of linear equations Ax=b 

7 in n unknowns, using the element y and all coefficients of a 

8 generator polynomial of GF(q) whose root is a; 

9 equation solving means for finding solutions of the system 

10 of linear equations Ax=b, the equation solving means including 

11 the apparatus of Claim 6; and 

12 inverse computing means for computing the inverse J using the 
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13 



root a and the solutions found by the equation solving means. 



1 15. An apparatus for use in encryption or decryption, for 

2 computing an inverse I of an element y in GF(q) which is an 

3 extension field of a finite field GF (p) , where p is a prime, 

4 q=p n r and n is a positive integer, the apparatus comprising: 

5 equation generating means for generating a coefficient matrix 

6 A and a constant vector b for a system of linear equations Ax=b 

7 in n unknowns, using the element y and all coefficients of a 
EE generator polynomial of GF(g) whose root is a; 

& equation solving means for finding solutions of the system 

]<£ of linear equations Ax=b, the equation solving means including 

the apparatus of Claim 7; and 

]X inverse computing means for computing the inverse I using the 

13, root a and the solutions found by the equation solving means. 

1 16. An apparatus for use in encryption or decryption, for 

2 computing an inverse I of an element y in GF (q) which is an 

3 extension field of a finite field GF (p) , where p is a prime, 

4 q=p n , and n is a positive integer, the apparatus comprising: 

5 equation generating means for generating a coefficient matrix 

6 A and a constant vector b for a system of linear equations Ax=b 

7 in n unknowns, using the element y and all coefficients of a 

8 generator polynomial of GF (q) whose root is a; 
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9 equation solving means for finding solutions of the system 

10 of linear equations Ax=b, the equation solving means including 

11 the apparatus of Claim 8; and 

12 inverse computing means for computing the inverse I using the 

13 root a and the solutions found by the equation solving means. 

1 17. A record medium reproducing apparatus for computing, when 

2 copyrighted digital content has been encrypted using a discrete 

3 logarithm problem on an elliptic curve E over GF(q) as a basis 
4? for security and recorded on a record medium, an inverse I of an 
5= element y in GF(q) to decrypt the encrypted digital content 
61 recorded on the record medium, where GF(q) is an extension field 
7-" of a finite field GF(p) , p is a prime, g=p", n is a positive 
8:= integer, and G is a base point of the elliptic curve E, the 
9J record medium reproducing apparatus comprising: 

10:- equation generating means for generating a coefficient matrix 

11 A and a constant vector h for a system of linear equations Ax=£> 

12 in n unknowns, using the element y and all coefficients of a 

13 generator polynomial of GF(q) whose root is a; 

14 equation solving means for finding solutions of the system 

15 of linear equations Ax=b, the equation solving means including 

16 the apparatus of Claim 1; and 

17 inverse computing means for computing the inverse I using the 

18 root a and the solutions found by the equation solving means. 
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1 18. A record medium reproducing apparatus for computing, when 

2 copyrighted digital content has been encrypted using a discrete 

3 logarithm problem on an elliptic curve E over GF(q) as a basis 

4 for security and recorded on a record medium, an inverse I of an 

5 element y in GF (q) to decrypt the encrypted digital content 

6 recorded on the record medium, where GF(q) is an extension field 

7 of a finite field GF (p) , p is a prime, q=p n , n is a positive 

8 integer, and G is a base point of the elliptic curve E, the 
9.- record medium reproducing apparatus comprising: 

10- equation generating means for generating a coefficient matrix 

11- A and a constant vector b for a system of linear equations Ax=b 
ir in n unknowns, using the element y and all coefficients of a 
13_. generator polynomial of GF(q) whose root is a; 

14. equation solving means for finding solutions of the system 

llC of linear equations Ax=b, the equation solving means including 

16 the apparatus of Claim 2; and 

17 inverse computing means for computing the inverse I using the 

18 root a and the solutions found by the equation solving means. 

1 19. A record medium reproducing apparatus for computing, when 

2 copyrighted digital content has been encrypted using a discrete 

3 logarithm problem on an elliptic curve E over GF (q) as a basis 

4 for security and recorded on a record medium, an inverse I of an 
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5 element y in GF (q) to decrypt the encrypted digital content 

6 recorded on the record medium, where GF(q) is an extension field 

7 of a finite field GF(p) , p is a prime, q=p n , n is a positive 

8 integer, and G is a base point of the elliptic curve E, the 

9 record medium reproducing apparatus comprising: 

10 equation generating means for generating a coefficient matrix 

11 A and a constant vector b for a system of linear equations Ax=b 

12 in n unknowns, using the element y and all coefficients of a 

13 generator polynomial of GF(q) whose root is a; 

lil equation solving means for finding solutions of the system 

15- of linear equations Ax=b, the equation solving means including 

16i the apparatus of Claim 3; and 

17S inverse computing means for computing the inverse I using the 

lh root a and the solutions found by the equation solving means. 

ij 20. A record medium reproducing apparatus for computing, when 

2 copyrighted digital content has been encrypted using a discrete 

3 logarithm problem on an elliptic curve E over GF (q) as a basis 

4 for security and recorded on a record medium, an inverse I of an 

5 element y in GF (q) to decrypt the encrypted digital content 

6 recorded on the record medium, where GF(q) is an extension field 

7 of a finite field GF(p), p is a prime, q=p n , n is a positive 

8 integer, and G is a base point of the elliptic curve E, the 

9 record medium reproducing apparatus comprising: 
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10 equation generating means for generating a coefficient matrix 

11 A and a constant vector b for a system of linear equations Ax=b 

12 in n unknowns, using the element y and all coefficients of a 

13 generator polynomial of GF(q) whose root is a; 

14 equation solving means for finding solutions of the system 

15 of linear equations Ax=b, the equation solving means including 

16 the apparatus of Claim 4; and 

17 inverse computing means for computing the inverse I using the 

18 root a and the solutions found by the equation solving means. 

1~; 21. A record medium reproducing apparatus for computing, when 

2'i copyrighted digital content has been encrypted using a discrete 

3 : =! logarithm problem on an elliptic curve E over GF (q) as a basis 

4h for security and recorded on a record medium, an inverse I of an 

5j element y in GF (q) to decrypt the encrypted digital content 

63 recorded on the record medium, where GF(q) is an extension field 

7^ of a finite field GF(p), p is a prime, g=p", n is a positive 

8 integer, and G is a base point of the elliptic curve E, the 

9 record medium reproducing apparatus comprising: 

10 equation generating means for generating a coefficient matrix 

11 A and a constant vector b for a system of linear equations Ax=b 

12 in n unknowns, using the element y and all coefficients of a 

13 generator polynomial of GF (q) whose root is at 

14 equation solving means for finding solutions of the system 
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15 of linear equations Ax=b, the equation solving means including 

16 the apparatus of Claim 5; and 

17 inverse computing means for computing the inverse I using the 

18 root a and the solutions found by the equation solving means. 

1 22. A record medium reproducing apparatus for computing, when 

2 copyrighted digital content has been encrypted using a discrete 

3 logarithm problem on an elliptic curve E over GF(q) as a basis 

4 for security and recorded on a record medium, an inverse J of an 
5f element y in GF(q) to decrypt the encrypted digital content 
6- recorded on the record medium, where GF(q) is an extension field 
7^ of a finite field GF (p) , p is a prime, q=p n , n is a positive 
8 integer, and G is a base point of the elliptic curve E, the 
g_ record medium reproducing apparatus comprising: 

equation generating means for generating a coefficient matrix 

111 A and a constant vector b for a system of linear equations Ax=b 

12 in n unknowns, using the element y and all coefficients of a 

13 generator polynomial of GF (q) whose root is a; 

14 equation solving means for finding solutions of the system 

15 of linear equations Ax=b, the equation solving means including 

16 the apparatus of Claim 6; and 

17 inverse computing means for computing the inverse I using the 

18 root a and the solutions found by the equation solving means. 



83 



1 23. A record medium reproducing apparatus for computing, when 

2 copyrighted digital content has been encrypted using a discrete 

3 logarithm problem on an elliptic curve E over GF (q) as a basis 

4 for security and recorded on a record medium, an inverse I of an 

5 element y in GF(q) to decrypt the encrypted digital content 

6 recorded on the record medium, where GF(q) is an extension field 

7 of a finite field GF(p), p is a prime, g=p n , n is a positive 

8 integer, and G is a base point of the elliptic curve E, the 

9 record medium reproducing apparatus comprising: 

10 equation generating means for generating a coefficient matrix 

11 A and a constant vector b for a system of linear equations Ax=b 

12 in n unknowns, using the element y and all coefficients of a 

13 generator polynomial of GF(q) whose root is a; 

14 equation solving means for finding solutions of the system 

15 of linear equations Ax=b r the equation solving means including 
16- the apparatus of Claim 7; and 

17 inverse computing means for computing the inverse I using the 

18 root a and the solutions found by the equation solving means. 

1 24. A record medium reproducing apparatus for computing, when 

2 copyrighted digital content has been encrypted using a discrete 

3 logarithm problem on an elliptic curve E over GF (q) as a basis 

4 for security and recorded on a record medium, an inverse I of an 

5 element y in GF (q) to decrypt the encrypted digital content 
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6 recorded on the record medium, where GF(q) is an extension field 

7 of a finite field GF(p), p is a prime, q=p n , n is a positive 

8 integer, and G is a base point of the elliptic curve E, the 

9 record medium reproducing apparatus comprising: 

10 equation generating means for generating a coefficient matrix 

11 A and a constant vector b for a system of linear equations Ax=b 

12 in n unknowns, using the element y and all coefficients of a 

13 generator polynomial of GF (q) whose root is a; 

14 equation solving means for finding solutions of the system 
\i\ of linear equations Ax=b, the equation solving means including 
16- the apparatus of Claim 8; and 

!7_ inverse computing means for computing the inverse I using the 

18- root a and the solutions found by the equation solving means. 

. 1= 25. A method for solving a system of linear equations Ax=b 

2- in n unknowns on a finite field GF(p) where p is a prime, n is a 

3" positive integer, A is a coefficient matrix consisting of 

4 elements of n rows and n columns, x is a vector of unknowns 

5 consisting of n elements, and h is a constant vector consisting 

6 of n elements, for use in encryption or decryption in an 

7 apparatus equipped with parameter storing means which stores the 

8 coefficient matrix A and the constant vector b, the method 

9 comprising: 
10 
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11 a triangular transforming step for reading the coefficient 

12 matrix A and the constant vector b from the parameter storing 

13 means, and transforming the read coefficient matrix A and 

14 constant vector b to generate a coefficient matrix C and a 

15 constant vector d for a system of linear equations Cx=d in n 

16 unknowns that is equivalent to the system of linear equations 

17 Ax=b, the coefficient matrix C consisting of elements of n rows 

18 and n columns and the constant vector d consisting of n elements, 

19 wherein the coefficient matrix A is triangular transformed into 
20 ' the coefficient matrix C of upper triangular form without 
21 diagonal elements of the coefficient matrix A being changed to 
22 : It 

23 a diagonal element inverting step for calculating inverses 

24 of diagonal elements of the generated coefficient matrix C on the 

25 finite field GF(p); and 

26" an equation computing step for solving the system of linear 

27 equations Cx=d using the coefficient matrix C, the constant 

28 vector d, and the inverses of the diagonal elements of the 

29 coefficient matrix C, to thereby solve the system of linear 

30 equations Ax=b. 

1 26. The method of Claim 25, 

2 wherein the triangular transforming step includes one or more 

3 successive transformation processes to generate the coefficient 
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4 matrix C and the constant vector d of the system of linear 

5 equations Cx=d from the coefficient matrix A and the constant 

6 vector b of the system of linear equations Ax=b, 

7 wherein in each transformation process a coefficient matrix 

8 and a constant vector of a system of linear equations in n 

9 unknowns are transformed into a coefficient matrix and a constant 

10 vector of a system of linear equations in n unknowns that is 

11 equivalent to the system of linear equations before the 

12 transformation, where the system of linear equations Ax=b is 

13 i subjected to the first transformation process and the system of 

14- = linear equations Cx=d is generated as a result of the last 

15- [ transformation process, 

16^ wherein in each transformation process the system of linear 

1Z :i equations in n unknowns that is subjected to the transformation 

18 j includes one pivotal equation which is a linear equation serving 

19-3 as a pivot for the transformation and one or more object 

20 equations which are linear equations to be transformed, and each 

21 of the object equations is transformed into an equation 

22 equivalent to the object equation by 

23 defining a first coefficient group containing at least one 

24 value related to the pivotal equation and a second coefficient 

25 group containing n+1 values related to the pivotal equation, 

26 changing a nonzero coefficient in the object equation to 0, 

27 and 
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28 multiplying each of a constant and n coefficients in the 

29 object equation by the value in the first coefficient group, and 

30 subtracting the n+1 values in the second coefficient group 

31 respectively from the n+1 multiplication results. 

1 27. The method of Claim 26, 

2 wherein each transformation process has transformation 

3 subprocesses each for transforming a separate one of the object 

4 equations, 

5~ wherein in each transformation subprocess 

6* (a) a nonzero coefficient is chosen from the pivotal equation 

£= and set into the first coefficient group, 

8 - (b) a nonzero coefficient is chosen from the object equation, 

9: each of a constant and n coefficients in the pivotal equation is 

10. multiplied by the nonzero coefficient chosen from the object 

11. equation, and n+1 values obtained by the multiplications are set 

12 into the second coefficient group, 

13 (c) the chosen nonzero coefficient in the object equation is 

14 changed to 0, and 

15 (d) each of a constant and n coefficients in the object 

16 equation is multiplied by the nonzero coefficient in the first 

17 coefficient group, and the n+1 values in the second coefficient 

18 group are subtracted respectively from the n+1 multiplication 

19 results. 
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1 28. The method of Claim 27, 

2 wherein when the diagonal elements of the coefficient matrix 

3 C are denoted by m, (1=1 ,2 , . . . ,n) and the inverses of the 

4 diagonal elements m ± (1=1,2, ... ,n) in the finite field GF (p) are 

5 denoted by I i (i=l ,2 , . . . ,n) , the diagonal element inverting step 

6 includes 

7 (a) a multiplying substep for computing 
8 

t i =JJm k (except m L ) mod p (±=1,2, ... ,n) 

9 1 * =I 

101 and 

]1 : t= IT m k mod p 

12- 

13- (b) a first inverting substep for computing 

14: u=2/ 1 mod p 

LS- and 

16 (c) a second inverting substep for computing 

17 J i =uxt i mod p (1=1 ,2 , . . . ,n) 

18 to find the inverses I ± (1=1 ,2 , . . . ,n) . 

1 29. The method of Claim 28, 

2 wherein the multiplying substep calculates 

3 s 1 =m 1 ><m 2 mod p 

4 s 2 =s 1 ^m 3 mod p 

5 ; 
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6 S n-3 ==S n-4 Xm n-2 mOC ^ P 

7 in the stated order, then calculates 

8 t n =S n-3 Xm n-l m °°^ P 

9 t a-l~ S n-3 Xm n mOC * P 

10 S n =m n-1 * m n mo °^ P 

11 t n-2 =S n-4 XS n mOC ^ P 

12 S „-l =m n-2 XS n mOCi P 

13 t n-3 =S n-5 XS n-l m0< ^ P 

14 S n-2 =m n-3* S n-l mOCi P 

15 = t n-4 =S n-6 XS n-2 m °d P 

16- 

l?n s 5 =m 4 xs 6 mod p 

18 t 3 =s 1 xs 5 mod p 

IS. s 4 =m 3 xs 5 mod p 

20- t 2 =m 1 xs 4 mod p 

21- t 1 =m. 2 *s 4 mod p 

22 in the stated order, and lastly calculates 

23 t=t j xm j 

24 for a value j chosen from a set of positive integers 

25 {1,2,. . . ,n}. 

1 30. The method of Claim 2 6, 

2 wherein each transformation process includes a coefficient 

3 group calculation process and transformation subprocesses, 
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4 performed following the coefficient group calculation process, 

5 each for transforming a separate one of the object equations, 

6 wherein in the coefficient group calculation process 

7 (a) m nonzero coefficients are chosen by taking one nonzero 

8 coefficient from each of the pivotal equation and the object 

9 equations, each combination of (m-2) of the chosen nonzero 

10 coefficients is multiplied, and the m multiplication results are 

11 set into the first coefficient group, m being a positive integer 

12 no smaller than 2, and 

13:" (b) each of a constant and n coefficients in the pivotal 

14- equation is multiplied by a multiplication result in the first 

15- 1 - coefficient group for a combination of nonzero coefficients that 
ie : does not include a nonzero coefficient chosen from the pivotal 
ir_ equation, and n+1 values obtained by the multiplications are set 
16L into the second coefficient group, 

19l wherein in each of the transformation subprocesses following 

20 the coefficient group calculation process 

21 (a) a nonzero coefficient chosen from the object equation in 

22 the coefficient group calculation process is changed to 0 in the 

23 object equation, and 

24 (b) each of a constant and n coefficients in the object 

25 equation is multiplied by a multiplication result in the first 

26 coefficient group for a combination of nonzero coefficients that 

27 does not include the nonzero coefficient chosen from the object 
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28 
29 



equation, and the n+1 values in the second coefficient group are 
subtracted respectively from the n+1 multiplication results. 



1 31. The method of Claim 30, 

2 wherein when the diagonal elements of the coefficient matrix 

3 C are denoted by m ± (i=l ,2 , . . . ,n) and the inverses of the 

4 diagonal elements m ± (i=l ,2 , . . . ,n) in the finite field GF(p) are 

5 denoted by I ± (i=l ,2, . . . ,n) , the diagonal element inverting step 

6 includes 

7^ (a) a multiplying substep for computing 

t.=JJm k (except m ± ) mod p (i=l ,2 , . . . ,n) 
^ 1 k=i 

10"! anci 

! j£ t=]Jm k mod p 

k=l 

12J 

130 (b) a first inverting substep for computing 

14 u=l/t mod p 

15 and 

16 (c) a second inverting substep for computing 

17 I^ux^ mod p (1=1,2, ... ,n) 

18 to find the inverses I i (i=l ,2 , . . . ,n) . 

1 32. The method of Claim 31, 

2 wherein the multiplying substep calculates 
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3 s i =m i xm 2 m °d P 

4 s 2 =s i * m 3 m °d P 

5 = 

6 S n-3 =S n-4* m n-2 m ° d P 

7 in the stated order, then calculates 

8 t rT S n-3 * m n-l m ° d P 

9 t n-l =S n-3 XIR n m0< ^ P 

10 S n =m n-1 * m n mOCi P 

11 t n _ 2 =s n _ 4 *s n mod p 

12 S n-l =m n-2* S n m ° d P 
13_ t n-3 =S n-5 XS n-l m ° d P 
Hi S n-2 =m n-3* S n-l mC "^ P 

15 : t n _ 4 =s n _ 6 xs n _ 2 mod p 

16_ ; 

]j s 5 =m 4 *s 6 mod p 

]gr t 3 =s 1 xs 5 mod p 

19 s 4 =m 3 *s 5 mod p 

20 t 2 =m 1 xs 4 mod p 

21 t 1 =m 2 xs 4 mod p 

22 in the stated order, and lastly calculates 

23 t=tj *m. 

24 for a value j chosen from a set of positive integers 

25 {1,2, . . . ,n} . 
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ABSTRACT OF THE DISCLOSURE 

An equation transforming unit triangular transforms a matrix 
M and a vector v to generate a matrix M' and a vector v' for a 
system of linear equations M'x=v' in n unknowns that has an 
equivalence relation with a system of linear equations Mx=v in n 
unknowns. The triangular transformation is such that the matrix 
M is transformed into an upper triangular matrix without the 
diagonal elements of the matrix M being changed to 1. An 
inverting unit calculates the inverses of the diagonal elements 
of the matrix M' . An equation computing unit finds the solutions 
of the system of linear equations M'x=v' using the matrix M' , the 
vector v' r and the calculated inverses of the diagonal elements. 
An inverse computing unit computes the inverse I of an element y 
in GF(q) which is an extension field of a finite field GF(p), 
based on the solutions found by the equation computing unit. 
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